Generate docs from job=validate_atomics_generate_docs branch=oscd

atomics/Indexes/Indexes-CSV/index.csv

@@ -44,6 +44,7 @@ privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn
 privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
 privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
+privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -134,6 +135,7 @@ persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-
 persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
+persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
 persistence,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -30,6 +30,7 @@ privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn
 privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
 privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
 privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+privilege-escalation,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
@@ -259,6 +260,7 @@ persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-
 persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt
 persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
+persistence,T1547.010,Port Monitors,1,Add Port Monitor persistence in Registry,d34ef297-f178-4462-871e-9ce618d44e50,command_prompt
 persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
 persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -100,7 +100,8 @@
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
   - Atomic Test #1: Plist Modification [macos]
-- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
+  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
@@ -292,7 +293,8 @@
 - [T1547.011 Plist Modification](../../T1547.011/T1547.011.md)
   - Atomic Test #1: Plist Modification [macos]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
+  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -71,7 +71,8 @@
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
-- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
+  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
 - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
@@ -487,7 +488,8 @@
 - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
   - Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1547.010 Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1547.010 Port Monitors](../../T1547.010/T1547.010.md)
+  - Atomic Test #1: Add Port Monitor persistence in Registry [windows]
 - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md)
   - Atomic Test #1: Append malicious start-process cmdlet [windows]
 - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

atomics/Indexes/Matrices/matrix.md

@@ -56,7 +56,7 @@
 |  |  | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  |  |  |
-|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Port Monitors](../../T1547.010/T1547.010.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
 |  |  | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) |  |  |  |  |  |  |  |
@@ -68,7 +68,7 @@
 |  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
+|  |  | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -41,7 +41,7 @@
 |  |  | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Office Test](../../T1137.002/T1137.002.md) | [Port Monitors](../../T1547.010/T1547.010.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
@@ -50,7 +50,7 @@
 |  |  | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) |  |  |  |  |  |  |  |
 |  |  | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
+|  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/index.yaml

@@ -5109,7 +5109,31 @@ privilege-escalation:
       - Travis Smith, Tripwire
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1547.010
+    atomic_tests:
+    - name: Add Port Monitor persistence in Registry
+      auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
+      description: Add key-value pair to a Windows Port Monitor registry. On the subsequent
+        reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
+      supported_platforms:
+      - windows
+      input_arguments:
+        monitor_dll:
+          description: Addition to port monitor registry key. Normally refers to a
+            DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions
+            allow writing a fully-qualified pathname for that DLL.
+          type: Path
+          default: C:\Path\AtomicRedTeam.dll
+      executor:
+        command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART"
+          /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
+
+'
+        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
+
+'
+        name: command_prompt
+        elevation_required: true
   T1055.002:
     technique:
       external_references:
@@ -14036,7 +14060,31 @@ persistence:
       - Travis Smith, Tripwire
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1547.010
+    atomic_tests:
+    - name: Add Port Monitor persistence in Registry
+      auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
+      description: Add key-value pair to a Windows Port Monitor registry. On the subsequent
+        reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
+      supported_platforms:
+      - windows
+      input_arguments:
+        monitor_dll:
+          description: Addition to port monitor registry key. Normally refers to a
+            DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions
+            allow writing a fully-qualified pathname for that DLL.
+          type: Path
+          default: C:\Path\AtomicRedTeam.dll
+      executor:
+        command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART"
+          /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
+
+'
+        cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
+
+'
+        name: command_prompt
+        elevation_required: true
   T1546.013:
     technique:
       external_references:

atomics/T1547.010/T1547.010.md

@@ -0,0 +1,51 @@
+# T1547.010 - Port Monitors
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/010)
+<blockquote>Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>. 
+
+The Registry key contains entries for the following:
+
+* Local Port
+* Standard TCP/IP Port
+* USB Monitor
+* WSD Port
+
+Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Add Port Monitor persistence in Registry](#atomic-test-1---add-port-monitor-persistence-in-registry)
+
+
+<br/>
+
+## Atomic Test #1 - Add Port Monitor persistence in Registry
+Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| monitor_dll | Addition to port monitor registry key. Normally refers to a DLL name in C:&#92;Windows&#92;System32. arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL. | Path | C:&#92;Path&#92;AtomicRedTeam.dll|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
+```
+
+
+
+
+
+<br/>

atomics/T1547.010/T1547.010.yaml

@@ -2,6 +2,7 @@ attack_technique: T1547.010
 display_name: 'Boot or Logon Autostart Execution: Port Monitors'
 atomic_tests:
 - name: Add Port Monitor persistence in Registry
+  auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50
   description: Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. 
   supported_platforms:
   - windows

atomics/used_guids.txt

@@ -598,3 +598,4 @@ f7536d63-7fd4-466f-89da-7e48d550752a
 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
 f373b482-48c8-4ce4-85ed-d40c8b3f7310
 79d57242-bbef-41db-b301-9d01d9f6e817
+d34ef297-f178-4462-871e-9ce618d44e50