Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -121,18 +121,17 @@ defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip
 defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
 defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 defense-evasion,T1218,System Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
-defense-evasion,T1218,System Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
-defense-evasion,T1218,System Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
-defense-evasion,T1218,System Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
-defense-evasion,T1218,System Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,11,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,12,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,13,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,4,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,5,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
+defense-evasion,T1218,System Binary Proxy Execution,6,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
+defense-evasion,T1218,System Binary Proxy Execution,7,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
+defense-evasion,T1218,System Binary Proxy Execution,8,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
+defense-evasion,T1218,System Binary Proxy Execution,9,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
 defense-evasion,T1070.006,Timestomp,1,Set a file's access timestamp,5f9113d5-ed75-47ed-ba23-ea3573d05810,sh
 defense-evasion,T1070.006,Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -80,18 +80,17 @@ defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip
 defense-evasion,T1055,Process Injection,1,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell
 defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt
 defense-evasion,T1218,System Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
-defense-evasion,T1218,System Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
-defense-evasion,T1218,System Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
-defense-evasion,T1218,System Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
-defense-evasion,T1218,System Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,11,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,12,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
-defense-evasion,T1218,System Binary Proxy Execution,13,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,4,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,5,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell
+defense-evasion,T1218,System Binary Proxy Execution,6,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
+defense-evasion,T1218,System Binary Proxy Execution,7,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
+defense-evasion,T1218,System Binary Proxy Execution,8,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
+defense-evasion,T1218,System Binary Proxy Execution,9,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,10,Lolbin Gpscript logon option,5bcda9cd-8e85-48fa-861d-b5a85d91d48c,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,11,Lolbin Gpscript startup option,f8da74bb-21b8-4af9-8d84-f2c8e4a220e3,command_prompt
+defense-evasion,T1218,System Binary Proxy Execution,12,Lolbas ie4uinit.exe use as proxy,13c0804e-615e-43ad-b223-2dfbacd0b0b3,command_prompt
 defense-evasion,T1070.006,Timestomp,5,Windows - Modify file creation timestamp with PowerShell,b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c,powershell
 defense-evasion,T1070.006,Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell

atomics/Indexes/Indexes-Markdown/index.md

@@ -177,18 +177,17 @@
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 System Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
-  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
-  - Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
-  - Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
-  - Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
-  - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
-  - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
-  - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
-  - Atomic Test #9: DiskShadow Command Execution [windows]
-  - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
-  - Atomic Test #11: Lolbin Gpscript logon option [windows]
-  - Atomic Test #12: Lolbin Gpscript startup option [windows]
-  - Atomic Test #13: Lolbas ie4uinit.exe use as proxy [windows]
+  - Atomic Test #2: Register-CimProvider - Execute evil dll [windows]
+  - Atomic Test #3: InfDefaultInstall.exe .inf Execution [windows]
+  - Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File [windows]
+  - Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
+  - Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
+  - Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
+  - Atomic Test #8: DiskShadow Command Execution [windows]
+  - Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
+  - Atomic Test #10: Lolbin Gpscript logon option [windows]
+  - Atomic Test #11: Lolbin Gpscript startup option [windows]
+  - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #1: Set a file's access timestamp [linux, macos]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -122,18 +122,17 @@
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 System Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
-  - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
-  - Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
-  - Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
-  - Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
-  - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
-  - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
-  - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
-  - Atomic Test #9: DiskShadow Command Execution [windows]
-  - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
-  - Atomic Test #11: Lolbin Gpscript logon option [windows]
-  - Atomic Test #12: Lolbin Gpscript startup option [windows]
-  - Atomic Test #13: Lolbas ie4uinit.exe use as proxy [windows]
+  - Atomic Test #2: Register-CimProvider - Execute evil dll [windows]
+  - Atomic Test #3: InfDefaultInstall.exe .inf Execution [windows]
+  - Atomic Test #4: ProtocolHandler.exe Downloaded a Suspicious File [windows]
+  - Atomic Test #5: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
+  - Atomic Test #6: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
+  - Atomic Test #7: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
+  - Atomic Test #8: DiskShadow Command Execution [windows]
+  - Atomic Test #9: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
+  - Atomic Test #10: Lolbin Gpscript logon option [windows]
+  - Atomic Test #11: Lolbin Gpscript startup option [windows]
+  - Atomic Test #12: Lolbas ie4uinit.exe use as proxy [windows]
 - T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1070.006 Timestomp](../../T1070.006/T1070.006.md)
   - Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]

atomics/Indexes/index.yaml

@@ -7309,24 +7309,6 @@ defense-evasion:
           '
         name: command_prompt
         elevation_required: true
-    - name: SyncAppvPublishingServer - Execute arbitrary PowerShell code
-      auto_generated_guid: d590097e-d402-44e2-ad72-2c6aa1ce78b1
-      description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
-        Requires Windows 10.
-
-        '
-      supported_platforms:
-      - windows
-      input_arguments:
-        powershell_code:
-          description: PowerShell code to execute
-          type: String
-          default: Start-Process calc.exe
-      executor:
-        command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}"
-
-          '
-        name: command_prompt
     - name: Register-CimProvider - Execute evil dll
       auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655
       description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also

atomics/T1218/T1218.md

@@ -8,29 +8,27 @@ Similarly, on Linux systems adversaries may abuse trusted binaries such as <code
 
 - [Atomic Test #1 - mavinject - Inject DLL into running process](#atomic-test-1---mavinject---inject-dll-into-running-process)
 
-- [Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code](#atomic-test-2---syncappvpublishingserver---execute-arbitrary-powershell-code)
+- [Atomic Test #2 - Register-CimProvider - Execute evil dll](#atomic-test-2---register-cimprovider---execute-evil-dll)
 
-- [Atomic Test #3 - Register-CimProvider - Execute evil dll](#atomic-test-3---register-cimprovider---execute-evil-dll)
+- [Atomic Test #3 - InfDefaultInstall.exe .inf Execution](#atomic-test-3---infdefaultinstallexe-inf-execution)
 
-- [Atomic Test #4 - InfDefaultInstall.exe .inf Execution](#atomic-test-4---infdefaultinstallexe-inf-execution)
+- [Atomic Test #4 - ProtocolHandler.exe Downloaded a Suspicious File](#atomic-test-4---protocolhandlerexe-downloaded-a-suspicious-file)
 
-- [Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File](#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file)
+- [Atomic Test #5 - Microsoft.Workflow.Compiler.exe Payload Execution](#atomic-test-5---microsoftworkflowcompilerexe-payload-execution)
 
-- [Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution](#atomic-test-6---microsoftworkflowcompilerexe-payload-execution)
+- [Atomic Test #6 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions](#atomic-test-6---renamed-microsoftworkflowcompilerexe-payload-executions)
 
-- [Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions](#atomic-test-7---renamed-microsoftworkflowcompilerexe-payload-executions)
+- [Atomic Test #7 - Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-7---invoke-athremotefxvgpudisablementcommand-base-test)
 
-- [Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-8---invoke-athremotefxvgpudisablementcommand-base-test)
+- [Atomic Test #8 - DiskShadow Command Execution](#atomic-test-8---diskshadow-command-execution)
 
-- [Atomic Test #9 - DiskShadow Command Execution](#atomic-test-9---diskshadow-command-execution)
+- [Atomic Test #9 - Load Arbitrary DLL via Wuauclt (Windows Update Client)](#atomic-test-9---load-arbitrary-dll-via-wuauclt-windows-update-client)
 
-- [Atomic Test #10 - Load Arbitrary DLL via Wuauclt (Windows Update Client)](#atomic-test-10---load-arbitrary-dll-via-wuauclt-windows-update-client)
+- [Atomic Test #10 - Lolbin Gpscript logon option](#atomic-test-10---lolbin-gpscript-logon-option)
 
-- [Atomic Test #11 - Lolbin Gpscript logon option](#atomic-test-11---lolbin-gpscript-logon-option)
+- [Atomic Test #11 - Lolbin Gpscript startup option](#atomic-test-11---lolbin-gpscript-startup-option)
 
-- [Atomic Test #12 - Lolbin Gpscript startup option](#atomic-test-12---lolbin-gpscript-startup-option)
-
-- [Atomic Test #13 - Lolbas ie4uinit.exe use as proxy](#atomic-test-13---lolbas-ie4uinitexe-use-as-proxy)
+- [Atomic Test #12 - Lolbas ie4uinit.exe use as proxy](#atomic-test-12---lolbas-ie4uinitexe-use-as-proxy)
 
 
 <br/>
@@ -82,40 +80,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>
 
-## Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code
-Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** d590097e-d402-44e2-ad72-2c6aa1ce78b1
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| powershell_code | PowerShell code to execute | String | Start-Process calc.exe|
-
-
-#### Attack Commands: Run with `command_prompt`! 
-
-
-```cmd
-SyncAppvPublishingServer.exe "n; #{powershell_code}"
-```
-
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - Register-CimProvider - Execute evil dll
+## Atomic Test #2 - Register-CimProvider - Execute evil dll
 Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB
 
 **Supported Platforms:** Windows
@@ -161,7 +126,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>
 
-## Atomic Test #4 - InfDefaultInstall.exe .inf Execution
+## Atomic Test #3 - InfDefaultInstall.exe .inf Execution
 Test execution of a .inf using InfDefaultInstall.exe
 
 Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
@@ -209,7 +174,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>
 
-## Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File
+## Atomic Test #4 - ProtocolHandler.exe Downloaded a Suspicious File
 Emulates attack via documents through protocol handler in Microsoft Office.  On successful execution you should see Microsoft Word launch a blank file.
 
 **Supported Platforms:** Windows
@@ -255,7 +220,7 @@ write-host "Install Microsoft Word or provide correct path."
 <br/>
 <br/>
 
-## Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution
+## Atomic Test #5 - Microsoft.Workflow.Compiler.exe Payload Execution
 Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe
 
 **Supported Platforms:** Windows
@@ -302,7 +267,7 @@ write-host ".Net must be installed for this test to work correctly."
 <br/>
 <br/>
 
-## Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions
+## Atomic Test #6 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions
 Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe
 
 **Supported Platforms:** Windows
@@ -351,7 +316,7 @@ write-host "you need to rename workflow complier before you run this test"
 <br/>
 <br/>
 
-## Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test
+## Atomic Test #7 - Invoke-ATHRemoteFXvGPUDisablementCommand base test
 RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
 
 One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted.
@@ -407,7 +372,7 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
 <br/>
 <br/>
 
-## Atomic Test #9 - DiskShadow Command Execution
+## Atomic Test #8 - DiskShadow Command Execution
 Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
 
 **Supported Platforms:** Windows
@@ -463,7 +428,7 @@ echo "DiskShadow.exe not found on disk at expected location"
 <br/>
 <br/>
 
-## Atomic Test #10 - Load Arbitrary DLL via Wuauclt (Windows Update Client)
+## Atomic Test #9 - Load Arbitrary DLL via Wuauclt (Windows Update Client)
 This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. 
 See https://dtm.uk/wuauclt/
 
@@ -514,7 +479,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/at
 <br/>
 <br/>
 
-## Atomic Test #11 - Lolbin Gpscript logon option
+## Atomic Test #10 - Lolbin Gpscript logon option
 Executes logon scripts configured in Group Policy.
 https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
 https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
@@ -544,7 +509,7 @@ Gpscript /logon
 <br/>
 <br/>
 
-## Atomic Test #12 - Lolbin Gpscript startup option
+## Atomic Test #11 - Lolbin Gpscript startup option
 Executes startup scripts configured in Group Policy
 https://lolbas-project.github.io/lolbas/Binaries/Gpscript/
 https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/
@@ -574,7 +539,7 @@ Gpscript /startup
 <br/>
 <br/>
 
-## Atomic Test #13 - Lolbas ie4uinit.exe use as proxy
+## Atomic Test #12 - Lolbas ie4uinit.exe use as proxy
 Executes commands from a specially prepared ie4uinit.inf file.
 Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/
 Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/