Fix T1551 to T1070 (#1161)

* Fix T1551 to T1070

Found that we had T1070 labeled incorrectly as T1551. MITRE pushed a fix for this per https://attack.mitre.org/resources/updates/updates-july-2020/

```
Indicator Removal on Host Was incorrectly re-IDd to T1551, restored to T1070 and its sub-techniques were changed to T1070.001, T1070.002, T1070.003, T1070.004, T1070.005, and T1070.006
```

* Generate MD fix

Attempting to get the MD to generate

* Update enterprise-attack.json

* Generate docs from job=validate_atomics_generate_docs branch=T1070-indicator-removal-fix

Co-authored-by: CircleCI Atomic Red Team doc generator <email>

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json

@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1551.002","score":100,"enabled":true},{"techniqueID":"T1551.003","score":100,"enabled":true},{"techniqueID":"T1551.004","score":100,"enabled":true},{"techniqueID":"T1551.006","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true}]}
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json

@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1551.002","score":100,"enabled":true},{"techniqueID":"T1551.003","score":100,"enabled":true},{"techniqueID":"T1551.004","score":100,"enabled":true},{"techniqueID":"T1551.006","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true}]}
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -213,18 +213,18 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
-defense-evasion,T1551.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1551.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
-defense-evasion,T1551.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1551.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1551.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
-defense-evasion,T1551.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1551.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
-defense-evasion,T1551.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
-defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
+defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
+defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
+defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
+defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
+defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
+defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
 defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
 defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
@@ -262,16 +262,16 @@ defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falco
 defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
-defense-evasion,T1551.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
-defense-evasion,T1551.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
-defense-evasion,T1551.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
-defense-evasion,T1551.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
-defense-evasion,T1551.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
-defense-evasion,T1551.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
-defense-evasion,T1551.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
-defense-evasion,T1551.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
-defense-evasion,T1551.004,File Deletion,9,Delete-PrefetchFile,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
-defense-evasion,T1551.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
+defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
+defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
+defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
+defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
+defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
+defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
+defense-evasion,T1070.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
+defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
+defense-evasion,T1070.004,File Deletion,9,Delete-PrefetchFile,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
+defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
 defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
 defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
@@ -284,7 +284,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ec
 defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
 defense-evasion,T1564.002,Hidden Users,1,Hidden Users,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
-defense-evasion,T1551,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
+defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh
@@ -326,9 +326,9 @@ defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),88
 defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
 defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
-defense-evasion,T1551.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
-defense-evasion,T1551.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
-defense-evasion,T1551.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
+defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
@@ -387,14 +387,14 @@ defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e
 defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
-defense-evasion,T1551.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
-defense-evasion,T1551.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
-defense-evasion,T1551.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
-defense-evasion,T1551.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
-defense-evasion,T1551.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
-defense-evasion,T1551.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
-defense-evasion,T1551.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
-defense-evasion,T1551.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
+defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
+defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
+defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
+defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
+defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
+defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
+defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
+defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt
@@ -528,8 +528,6 @@ discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
 execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
-execution,T1059.004,Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
-execution,T1059.004,Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual
@@ -562,6 +560,8 @@ execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0
 execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,powershell
+execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
+execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt

atomics/Indexes/Indexes-CSV/linux-index.csv

@@ -35,25 +35,25 @@ credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-90
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
 defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
-defense-evasion,T1551.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1551.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
-defense-evasion,T1551.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1551.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1551.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
-defense-evasion,T1551.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1551.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
+defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
+defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
+defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Clear Command History,5,Clear Bash history (truncate),47966a1d-df4f-4078-af65-db6d9aa20739,sh
+defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail Spool,1602ff76-ed7f-4c94-b550-2f727b4782d4,bash
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,4,Stop Crowdstrike Falcon on Linux,828a1278-81cc-4802-96ab-188bf29ca77d,sh
-defense-evasion,T1551.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
-defense-evasion,T1551.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
-defense-evasion,T1551.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
-defense-evasion,T1551.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
+defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
+defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
+defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
+defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash
 defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
 defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh
@@ -80,10 +80,10 @@ defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666
 defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
-defense-evasion,T1551.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
-defense-evasion,T1551.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
-defense-evasion,T1551.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
-defense-evasion,T1551.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
+defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
+defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
+defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
+defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
 impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
 impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
 impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
@@ -139,10 +139,10 @@ collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symme
 collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Import,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
-execution,T1059.004,Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
-execution,T1059.004,Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
+execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
+execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh

atomics/Indexes/Indexes-CSV/macos-index.csv

@@ -41,19 +41,19 @@ persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e
 persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
-defense-evasion,T1551.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
-defense-evasion,T1551.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
-defense-evasion,T1551.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
-defense-evasion,T1551.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
-defense-evasion,T1551.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
-defense-evasion,T1551.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
-defense-evasion,T1551.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
+defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
+defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
+defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
+defense-evasion,T1070.003,Clear Command History,4,Clear Bash history (ln dev/null),23d348f3-cc5c-4ba9-bd0a-ae09069f0914,sh
+defense-evasion,T1070.003,Clear Command History,6,Clear history of a bunch of shells,7e6721df-5f08-4370-9255-f06d8a77af4c,sh
+defense-evasion,T1070.003,Clear Command History,7,Clear and Disable Bash History Logging,784e4011-bd1a-4ecd-a63a-8feb278512e6,sh
+defense-evasion,T1070.002,Clear Linux or Mac System Logs,1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
 defense-evasion,T1562.001,Disable or Modify Tools,5,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
 defense-evasion,T1562.001,Disable or Modify Tools,6,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
 defense-evasion,T1562.001,Disable or Modify Tools,7,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
 defense-evasion,T1562.001,Disable or Modify Tools,8,Stop and unload Crowdstrike Falcon on macOS,b3e7510c-2d4c-4249-a33f-591a2bc83eef,sh
-defense-evasion,T1551.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
-defense-evasion,T1551.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
+defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
+defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
 defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh
 defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
@@ -83,10 +83,10 @@ defense-evasion,T1036.006,Space after Filename,1,Space After Filename,89a7dd26-e
 defense-evasion,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
-defense-evasion,T1551.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
-defense-evasion,T1551.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
-defense-evasion,T1551.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
-defense-evasion,T1551.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
+defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
+defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
+defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
+defense-evasion,T1070.006,Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
 impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash
 impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
 impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,bash
@@ -119,12 +119,12 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
-execution,T1059.004,Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
-execution,T1059.004,Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 execution,T1569.001,Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
 execution,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
+execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
+execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
 command-and-control,T1105,Ingress Tool Transfer,1,rsync remote file copy (push),0fc6e977-cb12-44f6-b263-2824ba917409,bash
 command-and-control,T1105,Ingress Tool Transfer,2,rsync remote file copy (pull),3180f7d5-52c0-4493-9ea0-e3431a84773f,bash
 command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83a49600-222b-4866-80a0-37736ad29344,bash

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -64,8 +64,8 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
-defense-evasion,T1551.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
-defense-evasion,T1551.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
+defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
+defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLogId,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
 defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
 defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
@@ -94,16 +94,16 @@ defense-evasion,T1562.001,Disable or Modify Tools,20,Uninstall Crowdstrike Falco
 defense-evasion,T1562.001,Disable or Modify Tools,21,Tamper with Windows Defender Evade Scanning -Folder,0b19f4ee-de90-4059-88cb-63c800c683ed,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,22,Tamper with Windows Defender Evade Scanning -Extension,315f4be6-2240-4552-b3e1-d1047f5eecea,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,23,Tamper with Windows Defender Evade Scanning -Process,a123ce6a-3916-45d6-ba9c-7d4081315c27,powershell
-defense-evasion,T1551.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
-defense-evasion,T1551.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
-defense-evasion,T1551.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
-defense-evasion,T1551.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
-defense-evasion,T1551.004,File Deletion,9,Delete-PrefetchFile,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
-defense-evasion,T1551.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
+defense-evasion,T1070.004,File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
+defense-evasion,T1070.004,File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
+defense-evasion,T1070.004,File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
+defense-evasion,T1070.004,File Deletion,7,Delete an entire folder - Windows PowerShell,edd779e4-a509-4cba-8dfa-a112543dbfb1,powershell
+defense-evasion,T1070.004,File Deletion,9,Delete-PrefetchFile,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell
+defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
 defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
 defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
-defense-evasion,T1551,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
+defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
 defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt
 defense-evasion,T1553.004,Install Root Certificate,4,Install root CA on Windows,76f49d86-5eb1-461a-a032-a480f86652f1,powershell
@@ -131,9 +131,9 @@ defense-evasion,T1564.004,NTFS File Attributes,1,Alternate Data Streams (ADS),88
 defense-evasion,T1564.004,NTFS File Attributes,2,Store file in Alternate Data Stream (ADS),2ab75061-f5d5-4c1a-b666-ba2a50df5b02,powershell
 defense-evasion,T1564.004,NTFS File Attributes,3,Create ADS command prompt,17e7637a-ddaf-4a82-8622-377e20de8fdb,command_prompt
 defense-evasion,T1564.004,NTFS File Attributes,4,Create ADS PowerShell,0045ea16-ed3c-4d4c-a9ee-15e44d1560d1,powershell
-defense-evasion,T1551.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
-defense-evasion,T1551.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
-defense-evasion,T1551.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
+defense-evasion,T1070.005,Network Share Connection Removal,1,Add Network Share,14c38f32-6509-46d8-ab43-d53e32d2b131,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,2,Remove Network Share,09210ad5-1ef2-4077-9ad3-7351e13e9222,command_prompt
+defense-evasion,T1070.005,Network Share Connection Removal,3,Remove Network Share PowerShell,0512d214-9512-4d22-bde7-f37e058259b3,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
@@ -177,10 +177,10 @@ defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Exe
 defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
-defense-evasion,T1551.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
-defense-evasion,T1551.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
-defense-evasion,T1551.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
-defense-evasion,T1551.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
+defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
+defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
+defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
+defense-evasion,T1070.006,Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt
 defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -30,6 +30,7 @@
   - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
   - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
   - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -199,6 +200,7 @@
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -275,7 +277,7 @@
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
   - Atomic Test #1: Plist Modification [macos]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
@@ -294,6 +296,7 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
   - Atomic Test #2: Scheduled task Local [windows]
@@ -318,7 +321,7 @@
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
 - T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
   - Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
@@ -412,6 +415,7 @@
 - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md)
   - Atomic Test #1: Password Spray all Domain Users [windows]
   - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #1: Private Keys [windows]
   - Atomic Test #2: Discover Private SSH Keys [macos, linux]
@@ -455,7 +459,8 @@
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
-- [T1551.003 Clear Command History](../../T1551.003/T1551.003.md)
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
   - Atomic Test #2: Clear Bash history (echo) [linux, macos]
   - Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
@@ -463,11 +468,11 @@
   - Atomic Test #5: Clear Bash history (truncate) [linux]
   - Atomic Test #6: Clear history of a bunch of shells [linux, macos]
   - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
-- [T1551.002 Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md)
+- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
   - Atomic Test #1: rm -rf [macos, linux]
   - Atomic Test #2: Overwrite Linux Mail Spool [linux]
   - Atomic Test #3: Overwrite Linux Log [linux]
-- [T1551.001 Clear Windows Event Logs](../../T1551.001/T1551.001.md)
+- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
   - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: Delete System Logs Using Clear-EventLogId [windows]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -481,18 +486,22 @@
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
   - Atomic Test #1: Control Panel Items [windows]
+- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
   - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
 - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
   - Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
 - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
   - Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
   - Atomic Test #2: Certutil Rename and Decode [windows]
 - T1006 Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
+- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #1: Disable iptables firewall [linux]
   - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
@@ -527,11 +536,12 @@
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.004 File Deletion](../../T1551.004/T1551.004.md)
+- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
   - Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
   - Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
   - Atomic Test #3: Overwrite and delete a file with shred [linux]
@@ -549,6 +559,7 @@
 - [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
   - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
   - Atomic Test #2: Mac Hidden file [macos]
@@ -566,7 +577,7 @@
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551 Indicator Removal on Host](../../T1551/T1551.md)
+- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
   - Atomic Test #1: Indicator Removal using FSUtil [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
@@ -608,6 +619,7 @@
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
   - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
   - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
@@ -627,7 +639,7 @@
   - Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
   - Atomic Test #3: Create ADS command prompt [windows]
   - Atomic Test #4: Create ADS PowerShell [windows]
-- [T1551.005 Network Share Connection Removal](../../T1551.005/T1551.005.md)
+- [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
   - Atomic Test #1: Add Network Share [windows]
   - Atomic Test #2: Remove Network Share [windows]
   - Atomic Test #3: Remove Network Share PowerShell [windows]
@@ -651,7 +663,8 @@
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -682,7 +695,7 @@
   - Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
   - Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
   - Atomic Test #9: File Extension Masquerading [windows]
-- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
   - Atomic Test #1: DCShadow - Mimikatz [windows]
@@ -690,6 +703,7 @@
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
   - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -735,7 +749,7 @@
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.006 Timestomp](../../T1551.006/T1551.006.md)
+- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]
   - Atomic Test #2: Set a file's modification timestamp [linux, macos]
   - Atomic Test #3: Set a file's creation timestamp [linux, macos]
@@ -745,7 +759,7 @@
   - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
   - Atomic Test #8: Windows - Timestomp a File [windows]
 - T1134.001 Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -919,6 +933,7 @@
 - [T1518 Software Discovery](../../T1518/T1518.md)
   - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
   - Atomic Test #2: Applications Installed [windows]
+- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #1: System Information Discovery [windows]
   - Atomic Test #2: System Information Discovery [macos]
@@ -948,6 +963,9 @@
 - [T1124 System Time Discovery](../../T1124/T1124.md)
   - Atomic Test #1: System Time Discovery [windows]
   - Atomic Test #2: System Time Discovery - PowerShell [windows]
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # execution
 - [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
@@ -955,9 +973,6 @@
 - T1053.001 At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.002 At (Windows)](../../T1053.002/T1053.002.md)
   - Atomic Test #1: At.exe Scheduled task [windows]
-- [T1059.004 Bash](../../T1059.004/T1059.004.md)
-  - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
-  - Atomic Test #2: Command-Line Interface [macos, linux]
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -971,6 +986,7 @@
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1569.001 Launchctl](../../T1569.001/T1569.001.md)
   - Atomic Test #1: Launchctl [macos]
 - [T1053.004 Launchd](../../T1053.004/T1053.004.md)
@@ -1013,8 +1029,11 @@
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
+  - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
+  - Atomic Test #2: Command-Line Interface [macos, linux]
 - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1059.005 VBScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
   - Atomic Test #1: Create and Execute Batch Script [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
@@ -1070,6 +1089,7 @@
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1071.004 DNS](../../T1071.004/T1071.004.md)
   - Atomic Test #1: DNS Large Query Volume [windows]
@@ -1120,7 +1140,7 @@
   - Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
   - Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
 - T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1132,7 +1152,7 @@
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
   - Atomic Test #1: Malicious User Agents - Powershell [windows]
   - Atomic Test #2: Malicious User Agents - CMD [windows]

atomics/Indexes/Indexes-Markdown/linux-index.md

@@ -69,6 +69,7 @@
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1525 Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1547.006 Kernel Modules and Extensions](../../T1547.006/T1547.006.md)
@@ -86,15 +87,16 @@
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1505.002 Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
   - Atomic Test #1: Trap [macos, linux]
@@ -116,12 +118,14 @@
 - T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #1: Packet Capture Linux [linux]
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #2: Discover Private SSH Keys [macos, linux]
   - Atomic Test #3: Copy Private SSH Keys with CP [linux]
@@ -140,7 +144,7 @@
 - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
   - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.003 Clear Command History](../../T1551.003/T1551.003.md)
+- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
   - Atomic Test #2: Clear Bash history (echo) [linux, macos]
   - Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
@@ -148,13 +152,18 @@
   - Atomic Test #5: Clear Bash history (truncate) [linux]
   - Atomic Test #6: Clear history of a bunch of shells [linux, macos]
   - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
-- [T1551.002 Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md)
+- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
   - Atomic Test #1: rm -rf [macos, linux]
   - Atomic Test #2: Overwrite Linux Mail Spool [linux]
   - Atomic Test #3: Overwrite Linux Log [linux]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.002 Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #1: Disable iptables firewall [linux]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
@@ -163,9 +172,10 @@
   - Atomic Test #3: Disable SELinux [linux]
   - Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.004 File Deletion](../../T1551.004/T1551.004.md)
+- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
   - Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
   - Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
   - Atomic Test #3: Overwrite and delete a file with shred [linux]
@@ -174,13 +184,15 @@
 - [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
   - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1551 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
   - Atomic Test #1: Install root CA on CentOS/RHEL [linux]
   - Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
@@ -201,9 +213,12 @@
 - T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -211,11 +226,12 @@
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md)
   - Atomic Test #2: Masquerading as Linux crond process. [linux]
-- T1536 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1578.004 Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1014 Rootkit](../../T1014/T1014.md)
   - Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
   - Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
   - Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -230,12 +246,12 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.006 Timestomp](../../T1551.006/T1551.006.md)
+- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]
   - Atomic Test #2: Set a file's modification timestamp [linux, macos]
   - Atomic Test #3: Set a file's creation timestamp [linux, macos]
   - Atomic Test #4: Modify file timestamps using reference file [linux, macos]
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -324,6 +340,7 @@
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #3: Security Software Discovery - ps [linux, macos]
 - T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #3: List OS Information [linux, macos]
   - Atomic Test #4: Linux VM Check via Hardware [linux]
@@ -335,6 +352,9 @@
   - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
 - [T1033 System Owner/User Discovery](../../T1033/T1033.md)
   - Atomic Test #2: System Owner/User Discovery [linux, macos]
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # lateral-movement
 - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -354,6 +374,7 @@
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1071.004 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -387,7 +408,7 @@
 - [T1571 Non-Standard Port](../../T1571/T1571.md)
   - Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
 - T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -396,7 +417,7 @@
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
   - Atomic Test #3: Malicious User Agents - Nix [linux, macos]
 - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -437,23 +458,26 @@
 
 # execution
 - T1053.001 At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1059.004 Bash](../../T1059.004/T1059.004.md)
-  - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
-  - Atomic Test #2: Command-Line Interface [macos, linux]
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
   - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
   - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
+  - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
+  - Atomic Test #2: Command-Line Interface [macos, linux]
 - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # exfiltration
 - T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -487,6 +511,7 @@
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/macos-index.md

@@ -32,9 +32,7 @@
   - Atomic Test #1: Logon Scripts - Mac [macos]
 - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
   - Atomic Test #1: Plist Modification [macos]
-- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
   - Atomic Test #1: rc.common [macos]
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
@@ -53,13 +51,13 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
   - Atomic Test #1: Trap [macos, linux]
-- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # persistence
 - [T1546.004 .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
   - Atomic Test #1: Add command to .bash_profile [macos, linux]
   - Atomic Test #2: Add command to .bashrc [macos, linux]
+- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
@@ -96,18 +94,19 @@
   - Atomic Test #1: Logon Scripts - Mac [macos]
 - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
   - Atomic Test #1: Plist Modification [macos]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.004 Rc.common](../../T1037.004/T1037.004.md)
   - Atomic Test #1: rc.common [macos]
 - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md)
   - Atomic Test #1: Re-Opened Applications [macos]
   - Atomic Test #2: Re-Opened Applications [macos]
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1098.004 SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1037.005 Startup Items](../../T1037.005/T1037.005.md)
   - Atomic Test #1: Add file to Local Library StartupItems [macos]
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
   - Atomic Test #1: Trap [macos, linux]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -117,18 +116,19 @@
 - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
   - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
-- [T1551.003 Clear Command History](../../T1551.003/T1551.003.md)
+- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
   - Atomic Test #2: Clear Bash history (echo) [linux, macos]
   - Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
   - Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
   - Atomic Test #6: Clear history of a bunch of shells [linux, macos]
   - Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
-- [T1551.002 Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md)
+- [T1070.002 Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md)
   - Atomic Test #1: rm -rf [macos, linux]
 - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1027.004 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.004 Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #5: Disable Carbon Black Response [macos]
@@ -138,9 +138,10 @@
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.004 File Deletion](../../T1551.004/T1551.004.md)
+- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
   - Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
   - Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
 - T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -149,6 +150,7 @@
 - [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #2: Mac HISTCONTROL [macos, linux]
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
   - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
   - Atomic Test #2: Mac Hidden file [macos]
@@ -161,8 +163,9 @@
 - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1551 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1553.004 Install Root Certificate](../../T1553.004/T1553.004.md)
   - Atomic Test #3: Install root CA on macOS [macos]
 - T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -180,16 +183,17 @@
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.003 Rename System Utilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.002 Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1014 Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md)
   - Atomic Test #1: Make and modify binary from C source [macos, linux]
@@ -208,14 +212,13 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.006 Timestomp](../../T1551.006/T1551.006.md)
+- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]
   - Atomic Test #2: Set a file's modification timestamp [linux, macos]
   - Atomic Test #3: Set a file's creation timestamp [linux, macos]
   - Atomic Test #4: Modify file timestamps using reference file [linux, macos]
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
@@ -290,6 +293,7 @@
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #3: Security Software Discovery - ps [linux, macos]
 - T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #2: System Information Discovery [macos]
   - Atomic Test #3: List OS Information [linux, macos]
@@ -300,37 +304,44 @@
   - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
 - [T1033 System Owner/User Discovery](../../T1033/T1033.md)
   - Atomic Test #2: System Owner/User Discovery [linux, macos]
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # execution
 - [T1059.002 AppleScript](../../T1059.002/T1059.002.md)
   - Atomic Test #1: AppleScript [macos]
-- [T1059.004 Bash](../../T1059.004/T1059.004.md)
-  - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
-  - Atomic Test #2: Command-Line Interface [macos, linux]
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
   - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
   - Atomic Test #2: Cron - Add script to cron folder [macos, linux]
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1569.001 Launchctl](../../T1569.001/T1569.001.md)
   - Atomic Test #1: Launchctl [macos]
 - [T1053.004 Launchd](../../T1053.004/T1053.004.md)
   - Atomic Test #1: Event Monitor Daemon Persistence [macos]
 - T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1059.004 Unix Shell](../../T1059.004/T1059.004.md)
+  - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
+  - Atomic Test #2: Command-Line Interface [macos, linux]
 - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # command-and-control
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1071.004 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1568.003 DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -365,7 +376,7 @@
 - [T1571 Non-Standard Port](../../T1571/T1571.md)
   - Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
 - T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -374,7 +385,7 @@
   - Atomic Test #1: Base64 Encoded data. [macos, linux]
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1545 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
   - Atomic Test #3: Malicious User Agents - Nix [linux, macos]
 - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -450,12 +461,14 @@
   - Atomic Test #1: Keychain [macos]
 - T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
   - Atomic Test #2: Packet Capture macOS [macos]
 - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1552.004 Private Keys](../../T1552.004/T1552.004.md)
   - Atomic Test #2: Discover Private SSH Keys [macos, linux]
   - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -26,6 +26,7 @@
   - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
   - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
   - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
 - [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
@@ -137,7 +138,8 @@
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
-- [T1551.001 Clear Windows Event Logs](../../T1551.001/T1551.001.md)
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
   - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: Delete System Logs Using Clear-EventLogId [windows]
 - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -185,11 +187,12 @@
 - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.011 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.004 File Deletion](../../T1551.004/T1551.004.md)
+- [T1070.004 File Deletion](../../T1070.004/T1070.004.md)
   - Atomic Test #4: Delete a single file - Windows cmd [windows]
   - Atomic Test #5: Delete an entire folder - Windows cmd [windows]
   - Atomic Test #6: Delete a single file - Windows PowerShell [windows]
@@ -198,6 +201,7 @@
   - Atomic Test #10: Delete TeamViewer Log Files [windows]
 - T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
   - Atomic Test #3: Create Windows System File with Attrib [windows]
   - Atomic Test #4: Create Windows Hidden File with Attrib [windows]
@@ -208,7 +212,7 @@
 - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551 Indicator Removal on Host](../../T1551/T1551.md)
+- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
   - Atomic Test #1: Indicator Removal using FSUtil [windows]
 - [T1202 Indirect Command Execution](../../T1202/T1202.md)
   - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
@@ -252,7 +256,7 @@
   - Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
   - Atomic Test #3: Create ADS command prompt [windows]
   - Atomic Test #4: Create ADS PowerShell [windows]
-- [T1551.005 Network Share Connection Removal](../../T1551.005/T1551.005.md)
+- [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md)
   - Atomic Test #1: Add Network Share [windows]
   - Atomic Test #2: Remove Network Share [windows]
   - Atomic Test #3: Remove Network Share PowerShell [windows]
@@ -275,6 +279,7 @@
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -307,6 +312,7 @@
   - Atomic Test #1: DCShadow - Mimikatz [windows]
 - [T1014 Rootkit](../../T1014/T1014.md)
   - Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
+- T1564.006 Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1218.011 Rundll32](../../T1218.011/T1218.011.md)
   - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
   - Atomic Test #2: Rundll32 execute VBscript command [windows]
@@ -338,12 +344,13 @@
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1551.006 Timestomp](../../T1551.006/T1551.006.md)
+- [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
   - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
   - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
   - Atomic Test #8: Windows - Timestomp a File [windows]
 - T1134.001 Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -387,6 +394,7 @@
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
+- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -435,6 +443,7 @@
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
@@ -468,6 +477,7 @@
   - Atomic Test #2: Create shortcut to cmd in startup folders [windows]
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1505.002 Transport Agent](../../T1505.002/T1505.002.md)
   - Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
 - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -599,6 +609,7 @@
 - [T1518 Software Discovery](../../T1518/T1518.md)
   - Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
   - Atomic Test #2: Applications Installed [windows]
+- T1497.001 System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #1: System Information Discovery [windows]
   - Atomic Test #6: Hostname Discovery (Windows) [windows]
@@ -620,11 +631,15 @@
 - [T1124 System Time Discovery](../../T1124/T1124.md)
   - Atomic Test #1: System Time Discovery [windows]
   - Atomic Test #2: System Time Discovery - PowerShell [windows]
+- T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # command-and-control
 - T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.002 Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1102.002 Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1071.004 DNS](../../T1071.004/T1071.004.md)
   - Atomic Test #1: DNS Large Query Volume [windows]
@@ -666,6 +681,7 @@
 - [T1571 Non-Standard Port](../../T1571/T1571.md)
   - Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
 - T1102.003 One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1001.003 Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1572 Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1090 Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -676,6 +692,7 @@
 - T1132.001 Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1071.001 Web Protocols](../../T1071.001/T1071.001.md)
   - Atomic Test #1: Malicious User Agents - Powershell [windows]
   - Atomic Test #2: Malicious User Agents - CMD [windows]
@@ -743,6 +760,7 @@
 - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1559 Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1204.002 Malicious File](../../T1204.002/T1204.002.md)
   - Atomic Test #1: OSTap Style Macro Execution [windows]
   - Atomic Test #2: OSTap Payload Download [windows]
@@ -781,7 +799,7 @@
 - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1059.005 VBScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- T1059.005 Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md)
   - Atomic Test #1: Create and Execute Batch Script [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)

atomics/Indexes/Matrices/linux-matrix.md

@@ -2,55 +2,67 @@
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash](../../T1059.004/T1059.004.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1551.003/T1551.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Service Scanning](../../T1046/T1046.md) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) |  | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1551.004/T1551.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) |  | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | [Process Discovery](../../T1057/T1057.md) |  | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Trap](../../T1546.005/T1546.005.md) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [LD_PRELOAD](../../T1574.006/T1574.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | [Local Account](../../T1136.001/T1136.001.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Non-Standard Port](../../T1571/T1571.md) |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Rename System Utilities](../../T1036.003/T1036.003.md) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | [Systemd Service](../../T1543.002/T1543.002.md) |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
-|  |  | [Trap](../../T1546.005/T1546.005.md) |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  |  |  |
-|  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) |  | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) |  | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+|  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File Deletion](../../T1070.004/T1070.004.md) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  |  | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Local Account](../../T1136.001/T1136.001.md) |  | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Non-Standard Port](../../T1571/T1571.md) |  |
+|  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Systemd Service](../../T1543.002/T1543.002.md) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
+|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Trap](../../T1546.005/T1546.005.md) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Rename System Utilities](../../T1036.003/T1036.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | [Timestomp](../../T1551.006/T1551.006.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/macos-matrix.md

@@ -2,47 +2,52 @@
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash](../../T1059.004/T1059.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1551.003/T1551.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [Browser Extensions](../../T1176/T1176.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Network Share Discovery](../../T1135/T1135.md) |  | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1551.004/T1551.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) |  | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Launch Agent](../../T1543.001/T1543.001.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | [Private Keys](../../T1552.004/T1552.004.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Launch Daemon](../../T1543.004/T1543.004.md) | [Launchd](../../T1053.004/T1053.004.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Launchd](../../T1053.004/T1053.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-|  |  | [Local Account](../../T1136.001/T1136.001.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Plist Modification](../../T1547.011/T1547.011.md) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Rc.common](../../T1037.004/T1037.004.md) | [Rc.common](../../T1037.004/T1037.004.md) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | [Non-Standard Port](../../T1571/T1571.md) |  |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Startup Items](../../T1037.005/T1037.005.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Trap](../../T1546.005/T1546.005.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
-|  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  |  |  | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  |  |  | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  |  |  | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Network Share Discovery](../../T1135/T1135.md) |  | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) |  | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) |  | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Information Discovery](../../T1082/T1082.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+|  |  | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Rc.common](../../T1037.004/T1037.004.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  |  | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Rc.common](../../T1037.004/T1037.004.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Startup Items](../../T1037.005/T1037.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Non-Standard Port](../../T1571/T1571.md) |  |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Startup Items](../../T1037.005/T1037.005.md) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Trap](../../T1546.005/T1546.005.md) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  |  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  |  |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Rename System Utilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Software Packing](../../T1027.002/T1027.002.md) |  |  |  |  |  |  |  |
@@ -52,9 +57,8 @@
 |  |  |  |  | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | [Timestomp](../../T1551.006/T1551.006.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/matrix.md

@@ -4,98 +4,108 @@
 | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash](../../T1059.004/T1059.004.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Application Shimming](../../T1546.011/T1546.011.md) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Clear Command History](../../T1551.003/T1551.003.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1551.002/T1551.002.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1551.001/T1551.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
-|  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
-|  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSA Secrets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
-|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | [Screen Capture](../../T1113/T1113.md) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | VBScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Time Discovery](../../T1124/T1124.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) |  |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) |  |  |  |  | [Remote Access Software](../../T1219/T1219.md) |  |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
-|  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1551.004/T1551.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1551/T1551.md) |  |  |  |  |  |  |  |
-|  |  | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
-|  |  | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
-|  |  | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
-|  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
-|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
-|  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
-|  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Rc.common](../../T1037.004/T1037.004.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
-|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Msiexec](../../T1218.007/T1218.007.md) |  |  |  |  |  |  |  |
-|  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [Network Share Connection Removal](../../T1551.005/T1551.005.md) |  |  |  |  |  |  |  |
-|  |  | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
-|  |  | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
-|  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
-|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
-|  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | [Startup Items](../../T1037.005/T1037.005.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) |  |  |  |  |  |  |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Screensaver](../../T1546.002/T1546.002.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) |  |  |  |  |  |  |  |
-|  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Trap](../../T1546.005/T1546.005.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Startup Items](../../T1037.005/T1037.005.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) |  |  |  |  |  |  |  |
-|  |  | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |  |
-|  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Service](../../T1543.003/T1543.003.md) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [PubPrn](../../T1216.001/T1216.001.md) |  |  |  |  |  |  |  |
-|  |  | [Transport Agent](../../T1505.002/T1505.002.md) |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Trap](../../T1546.005/T1546.005.md) |  | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) |  |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Regsvr32](../../T1218.010/T1218.010.md) |  |  |  |  |  |  |  |
-|  |  | [Web Shell](../../T1505.003/T1505.003.md) |  | [Rename System Utilities](../../T1036.003/T1036.003.md) |  |  |  |  |  |  |  |
-|  |  | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Windows Service](../../T1543.003/T1543.003.md) |  | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Service Execution](../../T1569.002/T1569.002.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+|  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | LSA Secrets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  | [Unix Shell](../../T1059.004/T1059.004.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
+|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](../../T1007/T1007.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Remote Access Software](../../T1219/T1219.md) |  |
+|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Standard Encoding](../../T1132.001/T1132.001.md) |  |
+|  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) |  |  |  |  |  |  |  |
+|  |  | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
+|  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) |  |  |  |  |  |  |  |
+|  |  | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
+|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
+|  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
+|  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
+|  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  |  |  |
+|  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Rc.common](../../T1037.004/T1037.004.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  |  |  |
+|  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
+|  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
+|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Msiexec](../../T1218.007/T1218.007.md) |  |  |  |  |  |  |  |
+|  |  | SSH Authorized Keys [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
+|  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) |  |  |  |  |  |  |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
+|  |  | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
+|  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
+|  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
+|  |  | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
+|  |  | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) |  |  |  |  |  |  |  |
+|  |  | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) |  |  |  |  |  |  |  |
+|  |  | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Service](../../T1543.003/T1543.003.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Transport Agent](../../T1505.002/T1505.002.md) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Trap](../../T1546.005/T1546.005.md) |  | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Web Shell](../../T1505.003/T1505.003.md) |  | [Process Hollowing](../../T1055.012/T1055.012.md) |  |  |  |  |  |  |  |
+|  |  | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |  |
+|  |  | [Windows Service](../../T1543.003/T1543.003.md) |  | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) |  | [PubPrn](../../T1216.001/T1216.001.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Regsvr32](../../T1218.010/T1218.010.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Rename System Utilities](../../T1036.003/T1036.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -116,7 +126,7 @@
 |  |  |  |  | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | [Timestomp](../../T1551.006/T1551.006.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -4,72 +4,76 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1551.001/T1551.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSA Secrets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | VBScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
-|  | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Service Discovery](../../T1007/T1007.md) |  | Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Time Discovery](../../T1124/T1124.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
-|  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) |  |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) |  |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [File Deletion](../../T1551.004/T1551.004.md) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | [Remote Access Software](../../T1219/T1219.md) |  |
-|  |  | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Hidden Window](../../T1564.003/T1564.003.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1551/T1551.md) |  |  |  |  |  |  |  |
-|  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
-|  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
-|  |  | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
-|  |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
-|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
-|  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) |  |  |  |  |  |  |  |
-|  |  | [Screensaver](../../T1546.002/T1546.002.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
-|  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Connection Removal](../../T1551.005/T1551.005.md) |  |  |  |  |  |  |  |
-|  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
-|  |  | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
-|  |  | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
-|  |  | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
-|  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
-|  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Password Filter DLL](../../T1556.002/T1556.002.md) |  |  |  |  |  |  |  |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | RDP Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LSA Secrets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Volume Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+|  | [Windows Command Shell](../../T1059.003/T1059.003.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) |  | Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](../../T1007/T1007.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
+|  |  | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | [Remote Access Software](../../T1219/T1219.md) |  |
+|  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  |  | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
+|  |  | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
+|  |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
+|  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
+|  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
+|  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
+|  |  | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) |  |  |  |  |  |  |  |
+|  |  | [Security Support Provider](../../T1547.005/T1547.005.md) | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) |  |  |  |  |  |  |  |
+|  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) |  |  |  |  |  |  |  |
+|  |  | [Services File Permissions Weakness](../../T1574.010/T1574.010.md) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
+|  |  | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Odbcconf](../../T1218.008/T1218.008.md) |  |  |  |  |  |  |  |
+|  |  | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
+|  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Pass the Hash](../../T1550.002/T1550.002.md) |  |  |  |  |  |  |  |
+|  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Pass the Ticket](../../T1550.003/T1550.003.md) |  |  |  |  |  |  |  |
+|  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Password Filter DLL](../../T1556.002/T1556.002.md) |  |  |  |  |  |  |  |
 |  |  | [Transport Agent](../../T1505.002/T1505.002.md) |  | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Web Shell](../../T1505.003/T1505.003.md) |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) |  |  |  |  |  |  |  |
-|  |  | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) |  | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Windows Service](../../T1543.003/T1543.003.md) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Windows Service](../../T1543.003/T1543.003.md) |  | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Process Hollowing](../../T1055.012/T1055.012.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [PubPrn](../../T1216.001/T1216.001.md) |  |  |  |  |  |  |  |
@@ -80,6 +84,7 @@
 |  |  |  |  | Right-to-Left Override [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Run Virtual Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Rundll32](../../T1218.011/T1218.011.md) |  |  |  |  |  |  |  |
 |  |  |  |  | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
@@ -97,8 +102,9 @@
 |  |  |  |  | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | [Timestomp](../../T1551.006/T1551.006.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Timestomp](../../T1070.006/T1070.006.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Token Impersonation/Theft [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/T1018/T1018.md

@@ -2,7 +2,9 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1018)
 <blockquote>Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) in order to discover the hostname to IP address mappings of remote systems. 
 
-Specific to macOS, the <code>bonjour</code> protocol exists to discover additional Mac-based systems within the same broadcast domain. In cloud environments, many typical utilities may be used to discover remote systems depending upon the host operating system. In addition, cloud environments often provide APIs that serve information about remote systems and services.</blockquote>
+Specific to macOS, the <code>bonjour</code> protocol exists to discover additional Mac-based systems within the same broadcast domain.
+
+Within IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API and a <code>describe-instances</code> command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project, and Azure's CLI <code>az vm list</code> lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)</blockquote>
 
 ## Atomic Tests
 

atomics/T1027.001/T1027.001.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1027.001)
 <blockquote>Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations. 
 
-Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) </blockquote>
+Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ) </blockquote>
 
 ## Atomic Tests
 

atomics/T1027/T1027.md

@@ -6,7 +6,7 @@ Payloads may be compressed, archived, or encrypted in order to avoid detection.
 
 Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)
 
-Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and whitelisting mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) </blockquote>
+Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) </blockquote>
 
 ## Atomic Tests
 

atomics/T1047/T1047.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1047)
 <blockquote>Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) (Citation: Wikipedia SMB) and Remote Procedure Call Service (RPCS) (Citation: TechNet RPC) for remote access. RPCS operates over port 135. (Citation: MSDN WMI)
 
-An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI 2015)</blockquote>
+An adversary can use WMI to interact with local and remote systems and use it as a means to perform many tactic functions, such as gathering information for Discovery and remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)</blockquote>
 
 ## Atomic Tests
 

atomics/T1059.004/T1059.004.md

@@ -1,8 +1,10 @@
-# T1059.004 - Bash
+# T1059.004 - Unix Shell
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1059.004)
-<blockquote>Adversaries may abuse Bash commands and scripts for execution. Bash, the primary macOS (through Mojave) and Linux shell, can control every aspect of a system, with certain commands requiring elevated privileges. 
+<blockquote>Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.
 
-Bash scripts (.sh) provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of Bash scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.</blockquote>
+Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.
+
+Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.</blockquote>
 
 ## Atomic Tests
 

atomics/T1070.001/T1070.001.md

@@ -1,5 +1,5 @@
-# T1551.001 - Clear Windows Event Logs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.001)
+# T1070.001 - Clear Windows Event Logs
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.001)
 <blockquote>Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer's alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.
 
 The event logs can be cleared with the following utility commands:

atomics/T1070.001/T1070.001.yaml

@@ -1,4 +1,4 @@
-attack_technique: T1551.001
+attack_technique: T1070.001
 display_name: 'Indicator Removal on Host: Clear Windows Event Logs'
 atomic_tests:
 - name: Clear Logs

atomics/T1070.002/T1070.002.md

@@ -1,5 +1,5 @@
-# T1551.002 - Clear Linux or Mac System Logs
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.002)
+# T1070.002 - Clear Linux or Mac System Logs
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.002)
 <blockquote>Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)
 
 * <code>/var/log/messages:</code>: General and system-related messages

atomics/T1070.002/T1070.002.yaml

@@ -1,4 +1,4 @@
-attack_technique: T1551.002
+attack_technique: T1070.002
 display_name: 'Indicator Removal on Host: Clear Linux or Mac System Logs'
 atomic_tests:
 - name: rm -rf

atomics/T1070.003/T1070.003.md

@@ -1,5 +1,5 @@
-# T1551.003 - Clear Command History
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.003)
+# T1070.003 - Clear Command History
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.003)
 <blockquote>In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.
 
 These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions.

atomics/T1070.003/T1070.003.yaml

@@ -1,4 +1,4 @@
-attack_technique: T1551.003
+attack_technique: T1070.003
 display_name: 'Indicator Removal on Host: Clear Command History'
 atomic_tests:
 - name: Clear Bash history (rm)

atomics/T1070.004/T1070.004.md

@@ -1,5 +1,5 @@
-# T1551.004 - File Deletion
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.004)
+# T1070.004 - File Deletion
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.004)
 <blockquote>Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
 
 There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)</blockquote>

atomics/T1070.004/T1070.004.yaml

@@ -1,4 +1,4 @@
-attack_technique: T1551.004
+attack_technique: T1070.004
 display_name: 'Indicator Removal on Host: File Deletion'
 atomic_tests:
 - name: Delete a single file - Linux/macOS

atomics/T1070.005/T1070.005.md

@@ -1,5 +1,5 @@
-# T1551.005 - Network Share Connection Removal
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.005)
+# T1070.005 - Network Share Connection Removal
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.005)
 <blockquote>Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)</blockquote>
 
 ## Atomic Tests

atomics/T1070.005/T1070.005.yaml

@@ -1,4 +1,4 @@
-attack_technique: T1551.005
+attack_technique: T1070.005
 display_name: 'Indicator Removal on Host: Network Share Connection Removal'
 atomic_tests:
 - name: Add Network Share

atomics/T1070.006/T1070.006.md

@@ -1,5 +1,5 @@
-# T1551.006 - Timestomp
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551.006)
+# T1070.006 - Timestomp
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070.006)
 <blockquote>Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
 
 Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)</blockquote>

atomics/T1070.006/T1070.006.yaml

@@ -1,4 +1,4 @@
-attack_technique: T1551.006
+attack_technique: T1070.006
 display_name: 'Indicator Removal on Host: Timestomp'
 atomic_tests:
 - name: Set a file's access timestamp

atomics/T1070/T1070.md

@@ -1,5 +1,5 @@
-# T1551 - Indicator Removal on Host
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1551)
+# T1070 - Indicator Removal on Host
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1070)
 <blockquote>Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1139) and /var/log/*.
 
 These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This that may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.</blockquote>

atomics/T1070/T1070.yaml

@@ -1,4 +1,4 @@
-attack_technique: T1551
+attack_technique: T1070
 display_name: Indicator Removal on Host
 atomic_tests:
 - name: Indicator Removal using FSUtil

atomics/T1106/T1106.md

@@ -1,12 +1,12 @@
 # T1106 - Native API
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1106)
-<blockquote>Adversaries may interact with the native Windows application programming interface (API) to execute behaviors. Similar to the system call interface on UNIX systems, the Windows native API provides a controlled means to calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes. The native API is leveraged by the OS during system boot (when other system components are not yet initialized) but is also exposed to user-mode applications via ntdll.dll and ntoskrnl.exe.(Citation: Microsoft NativeAPI)
+<blockquote>Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
 
-Functionality provided by the native API is also available via the Windows API, which provides a documented programming interface. For example, functions such as the Windows API <code>CreateProcess</code> will allow programs and scripts to start other processes with proper path and argument parameters.(Citation: Microsoft CreateProcess) This allows API callers to execute a binary, run a CLI command, load modules, etc. Thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)
+Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)
 
-Other software frameworks, such as Microsoft .NET, are also available to interact with the native API. These frameworks typically provide wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)
+Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)
 
-Adversaries may abuse the native API as a means of execution. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API, and its hierarchy of interfaces, provide mechanisms to interact with and utilize a victimized system. </blockquote>
+Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.</blockquote>
 
 ## Atomic Tests
 

atomics/T1119/T1119.md

@@ -1,8 +1,8 @@
 # T1119 - Automated Collection
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1119)
-<blockquote>Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of [Scripting](https://attack.mitre.org/techniques/T1064) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. 
+<blockquote>Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. 
 
-This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) to identify and move files.</blockquote>
+This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.</blockquote>
 
 ## Atomic Tests
 

atomics/T1127.001/T1127.001.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1127.001)
 <blockquote>Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)
 
-Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)</blockquote>
+Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into an XML project file.(Citation: MSDN MSBuild) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)</blockquote>
 
 ## Atomic Tests
 

atomics/T1134.004/T1134.004.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1134.004)
 <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)
 
-Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [VBScript](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
+Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](https://attack.mitre.org/techniques/T1086)/[Rundll32](https://attack.mitre.org/techniques/T1085) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)
 
 Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)</blockquote>
 

atomics/T1216.001/T1216.001.md

@@ -1,6 +1,6 @@
 # T1216.001 - PubPrn
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216.001)
-<blockquote>Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.
+<blockquote>Adversaries may use the trusted PubPrn script to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application control solutions that do not account for use of these scripts.
 
 <code>PubPrn.vbs</code> is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and can be used to proxy execution from a remote site.(Citation: Enigma0x3 PubPrn Bypass) An example command is <code>cscript C[:]\Windows\System32\Printing_Admin_Scripts\en-US\pubprn[.]vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png</code>.</blockquote>
 

atomics/T1216/T1216.md

@@ -1,6 +1,6 @@
 # T1216 - Signed Script Proxy Execution
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216)
-<blockquote>Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)</blockquote>
+<blockquote>Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)</blockquote>
 
 ## Atomic Tests
 

atomics/T1218.001/T1218.001.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.001)
 <blockquote>Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)
 
-A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)</blockquote>
+A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)</blockquote>
 
 ## Atomic Tests
 

atomics/T1218.002/T1218.002.md

@@ -4,7 +4,7 @@
 
 For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)
 
-Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.</blockquote>
+Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.</blockquote>
 
 ## Atomic Tests
 

atomics/T1218.003/T1218.003.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.003)
 <blockquote>Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
 
-Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
+Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017)  and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.
 
 CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)</blockquote>
 

atomics/T1218.004/T1218.004.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.004)
 <blockquote>Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.
 
-InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)</blockquote>
+InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)</blockquote>
 
 ## Atomic Tests
 

atomics/T1218.005/T1218.005.md

@@ -8,7 +8,7 @@ Files may be executed by mshta.exe through an inline script: <code>mshta vbscrip
 
 They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>
 
-Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)</blockquote>
+Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)</blockquote>
 
 ## Atomic Tests
 

atomics/T1218.007/T1218.007.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.007)
 <blockquote>Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.
 
-Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application whitelisting solutions that do not account for its potential abuse.</blockquote>
+Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse.</blockquote>
 
 ## Atomic Tests
 

atomics/T1218.008/T1218.008.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.008)
 <blockquote>Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.
 
-Adversaries may abuse odbcconf.exe to bypass application whitelisting solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A &lbrace;REGSVR "C:\Users\Public\file.dll"&rbrace;</code>). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) 
+Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A &lbrace;REGSVR "C:\Users\Public\file.dll"&rbrace;</code>). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) 
 </blockquote>
 
 ## Atomic Tests

atomics/T1218.009/T1218.009.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.009)
 <blockquote>Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)
 
-Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)</blockquote>
+Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)</blockquote>
 
 ## Atomic Tests
 

atomics/T1218.010/T1218.010.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.010)
 <blockquote>Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)
 
-Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
+Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
 
 Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)</blockquote>
 

atomics/T1218.011/T1218.011.md

@@ -1,6 +1,6 @@
 # T1218.011 - Rundll32
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1218.011)
-<blockquote>Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
+<blockquote>Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
 
 Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)
 

atomics/T1219/T1219.md

@@ -1,6 +1,6 @@
 # T1219 - Remote Access Software
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1219)
-<blockquote>An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+<blockquote>An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
 
 Remote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
 

atomics/T1220/T1220.md

@@ -1,8 +1,8 @@
 # T1220 - XSL Script Processing
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1220)
-<blockquote>Adversaries may bypass application whitelisting and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
+<blockquote>Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)
 
-Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
+Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)
 
 Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)
 

atomics/T1518.001/T1518.001.md

@@ -1,8 +1,10 @@
 # T1518.001 - Security Software Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1518.001)
-<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+<blockquote>Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
-Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.</blockquote>
+Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.
+
+Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)</blockquote>
 
 ## Atomic Tests
 

atomics/T1518/T1518.md

@@ -1,6 +1,6 @@
 # T1518 - Software Discovery
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1518)
-<blockquote>Adversaries may attempt to get a listing of software and software versions that are installed on a system. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
+<blockquote>Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 
 Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).</blockquote>
 

atomics/T1546.003/T1546.003.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.003)
 <blockquote>Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer's uptime. (Citation: Mandiant M-Trends 2015)
 
-Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
+Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)
 
 WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.</blockquote>
 

atomics/T1546.008/T1546.008.md

@@ -8,7 +8,7 @@ Depending on the version of Windows, an adversary may take advantage of these fe
 
 For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)
 
-Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)
+Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)
 
 * On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
 * Magnifier: <code>C:\Windows\System32\Magnify.exe</code>

atomics/T1546.011/T1546.011.md

@@ -16,7 +16,7 @@ Custom databases are stored in:
 
 To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).
 
-Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. Shims can also be abused to establish persistence by continuously being invoked by affected programs.</blockquote>
+Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.</blockquote>
 
 ## Atomic Tests
 

atomics/T1547.004/T1547.004.md

@@ -1,7 +1,6 @@
 # T1547.004 - Winlogon Helper DLL
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1547.004)
-<blockquote>
-Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) 
+<blockquote>Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013) 
 
 Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)
 

atomics/T1547.006/T1547.006.md

@@ -6,7 +6,7 @@ When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attac
 
 Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands.
 
-Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir)</blockquote>
+Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)</blockquote>
 
 ## Atomic Tests
 

atomics/T1564.003/T1564.003.md

@@ -2,7 +2,7 @@
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1564.003)
 <blockquote>Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. 
 
-On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [VBScript](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)
+On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)
 
 Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application's icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don't also want to show up in the Dock.
 

atomics/T1569.001/T1569.001.md

@@ -4,7 +4,7 @@
 
 By loading or reloading [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s, adversaries can install persistence or execute changes they made.(Citation: Sofacy Komplex Trojan)
 
-Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> -- /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.</blockquote>
+Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> -- /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Adversaries can abuse this functionality to execute code or even bypass application control if launchctl is an allowed process.</blockquote>
 
 ## Atomic Tests
 

atomics/T1574.006/T1574.006.md

@@ -1,8 +1,10 @@
 # T1574.006 - LD_PRELOAD
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.006)
-<blockquote>Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may set the LD_PRELOAD environment variable to point at malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. This environment variable is used to control when different shared libraries are loaded by a program.(Citation: TLDP Shared Libraries) Libraries specified by this variable with be loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+<blockquote>Adversaries may execute their own malicious payloads by hijacking the dynamic linker used to load libraries. The dynamic linker is used to load shared library dependencies needed by an executing program. The dynamic linker will typically check provided absolute paths and common directories for these dependencies, but can be overridden by shared objects specified by LD_PRELOAD to be loaded before all others.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)
 
-LD_PRELOAD hijacking is a method of executing arbitrary code, abusing how environment variables are used to load alternate shared libraries during process execution. LD_PRELOAD hijacking may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.</blockquote>
+Adversaries may set LD_PRELOAD to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary's malicious code upon execution of the victim program. LD_PRELOAD can be set via the environment variable or <code>/etc/ld.so.preload</code> file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by LD_PRELOAD with be loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.(Citation: Code Injection on Linux and macOS) (Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)
+
+LD_PRELOAD hijacking may grant access to the victim process's memory, system/network resources, and possibly elevated privileges. Execution via LD_PRELOAD hijacking may also evade detection from security products since the execution is masked under a legitimate process.</blockquote>
 
 ## Atomic Tests