OCD :) (#967)

* OCD :)

* Generate docs from job=validate_atomics_generate_docs branch=atomic_friday

Co-authored-by: CircleCI Atomic Red Team doc generator <email>

atomic_red_team/attack_api.rb

@@ -22,6 +22,7 @@ class Attack
       'collection',
       'exfiltration',
       'command-and-control',
+      'impact'
     ]
   end
 
@@ -110,4 +111,4 @@ class Attack
       end
     end
   end
-end
+end

atomics/Indexes/Matrices/linux-matrix.md

@@ -1,32 +1,32 @@
 # Linux Atomic Tests by ATT&CK Tactic & Technique
-| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
-|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Account Discovery](../../T1087/T1087.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Process Injection](../../T1055/T1055.md) | [Binary Padding](../../T1009/T1009.md) | [Bash History](../../T1139/T1139.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | [Clear Command History](../../T1146/T1146.md) | [Brute Force](../../T1110/T1110.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) |
-| [Spearphishing Attachment](../../T1193/T1193.md) | [Local Job Scheduling](../../T1168/T1168.md) | [Browser Extensions](../../T1176/T1176.md) | [Sudo](../../T1169/T1169.md) | [Compile After Delivery](../../T1500/T1500.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](../../T1064/T1064.md) | [Create Account](../../T1136/T1136.md) | [Sudo Caching](../../T1206/T1206.md) | [Connection Proxy](../../T1090/T1090.md) | [Credential Dumping](../../T1003/T1003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote File Copy](../../T1105/T1105.md) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](../../T1153/T1153.md) | [Hidden Files and Directories](../../T1158/T1158.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](../../T1089/T1089.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](../../T1151/T1151.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](../../T1100/T1100.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](../../T1081/T1081.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1215/T1215.md) |  | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1154/T1154.md) | [Local Job Scheduling](../../T1168/T1168.md) |  | [File Deletion](../../T1107/T1107.md) | [Input Capture](../../T1056/T1056.md) | [Password Policy Discovery](../../T1201/T1201.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [User Execution](../../T1204/T1204.md) | [Office Application Startup](../../T1137/T1137.md) |  | [File and Directory Permissions Modification](../../T1222/T1222.md) | [Network Sniffing](../../T1040/T1040.md) | [Permission Groups Discovery](../../T1069/T1069.md) |  | [Email Collection](../../T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [HISTCONTROL](../../T1148/T1148.md) | [Private Keys](../../T1145/T1145.md) | [Process Discovery](../../T1057/T1057.md) |  | [Input Capture](../../T1056/T1056.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Hidden Files and Directories](../../T1158/T1158.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Server Software Component](../../T1505/T1505.md) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Setuid and Setgid](../../T1166/T1166.md) |  | [Indicator Removal on Host](../../T1070/T1070.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Systemd Service](../../T1501/T1501.md) |  | [Install Root Certificate](../../T1130/T1130.md) |  | [System Network Configuration Discovery](../../T1016/T1016.md) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Trap](../../T1154/T1154.md) |  | [Masquerading](../../T1036/T1036.md) |  | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Remote Access Tools](../../T1219/T1219.md) |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | [Remote File Copy](../../T1105/T1105.md) |
-|  |  | [Web Shell](../../T1100/T1100.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Application Layer Protocol](../../T1071/T1071.md) |
-|  |  |  |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  | [Standard Cryptographic Protocol](../../T1032/T1032.md) |
-|  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) |
-|  |  |  |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Uncommonly Used Port](../../T1065/T1065.md) |
-|  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  | [Web Service](../../T1102/T1102.md) |
-|  |  |  |  | [Scripting](../../T1064/T1064.md) |  |  |  |  |  |  |
-|  |  |  |  | [Space after Filename](../../T1151/T1151.md) |  |  |  |  |  |  |
-|  |  |  |  | [Timestomp](../../T1099/T1099.md) |  |  |  |  |  |  |
-|  |  |  |  | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Web Service](../../T1102/T1102.md) |  |  |  |  |  |  |
-|  |  |  |  | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
+| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
+|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Account Discovery](../../T1087/T1087.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Process Injection](../../T1055/T1055.md) | [Binary Padding](../../T1009/T1009.md) | [Bash History](../../T1139/T1139.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | [Clear Command History](../../T1146/T1146.md) | [Brute Force](../../T1110/T1110.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1193/T1193.md) | [Local Job Scheduling](../../T1168/T1168.md) | [Browser Extensions](../../T1176/T1176.md) | [Sudo](../../T1169/T1169.md) | [Compile After Delivery](../../T1500/T1500.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](../../T1064/T1064.md) | [Create Account](../../T1136/T1136.md) | [Sudo Caching](../../T1206/T1206.md) | [Connection Proxy](../../T1090/T1090.md) | [Credential Dumping](../../T1003/T1003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote File Copy](../../T1105/T1105.md) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](../../T1153/T1153.md) | [Hidden Files and Directories](../../T1158/T1158.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](../../T1089/T1089.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](../../T1151/T1151.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](../../T1100/T1100.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](../../T1081/T1081.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1215/T1215.md) |  | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1154/T1154.md) | [Local Job Scheduling](../../T1168/T1168.md) |  | [File Deletion](../../T1107/T1107.md) | [Input Capture](../../T1056/T1056.md) | [Password Policy Discovery](../../T1201/T1201.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+|  | [User Execution](../../T1204/T1204.md) | [Office Application Startup](../../T1137/T1137.md) |  | [File and Directory Permissions Modification](../../T1222/T1222.md) | [Network Sniffing](../../T1040/T1040.md) | [Permission Groups Discovery](../../T1069/T1069.md) |  | [Email Collection](../../T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [HISTCONTROL](../../T1148/T1148.md) | [Private Keys](../../T1145/T1145.md) | [Process Discovery](../../T1057/T1057.md) |  | [Input Capture](../../T1056/T1056.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Hidden Files and Directories](../../T1158/T1158.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Server Software Component](../../T1505/T1505.md) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Setuid and Setgid](../../T1166/T1166.md) |  | [Indicator Removal on Host](../../T1070/T1070.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  |  | [Systemd Service](../../T1501/T1501.md) |  | [Install Root Certificate](../../T1130/T1130.md) |  | [System Network Configuration Discovery](../../T1016/T1016.md) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Trap](../../T1154/T1154.md) |  | [Masquerading](../../T1036/T1036.md) |  | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Remote Access Tools](../../T1219/T1219.md) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | [Remote File Copy](../../T1105/T1105.md) |  |
+|  |  | [Web Shell](../../T1100/T1100.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Application Layer Protocol](../../T1071/T1071.md) |  |
+|  |  |  |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  | [Standard Cryptographic Protocol](../../T1032/T1032.md) |  |
+|  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) |  |
+|  |  |  |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Uncommonly Used Port](../../T1065/T1065.md) |  |
+|  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  | [Web Service](../../T1102/T1102.md) |  |
+|  |  |  |  | [Scripting](../../T1064/T1064.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Space after Filename](../../T1151/T1151.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Timestomp](../../T1099/T1099.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Web Service](../../T1102/T1102.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/macos-matrix.md

@@ -1,37 +1,37 @@
 # macOS Atomic Tests by ATT&CK Tactic & Technique
-| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
-|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1155/T1155.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1009/T1009.md) | [Bash History](../../T1139/T1139.md) | [Account Discovery](../../T1087/T1087.md) | [AppleScript](../../T1155/T1155.md) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Browser Extensions](../../T1176/T1176.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1146/T1146.md) | [Brute Force](../../T1110/T1110.md) | [Application Window Discovery](../../T1010/T1010.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](../../T1136/T1136.md) | [Emond](../../T1519/T1519.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](../../T1003/T1003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) |
-| [Spearphishing Attachment](../../T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1500/T1500.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1152/T1152.md) | [Emond](../../T1519/T1519.md) | [Launch Daemon](../../T1160/T1160.md) | [Connection Proxy](../../T1090/T1090.md) | [Credentials in Files](../../T1081/T1081.md) | [Network Service Scanning](../../T1046/T1046.md) | [Logon Scripts](../../T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](../../T1168/T1168.md) | [Hidden Files and Directories](../../T1158/T1158.md) | [Plist Modification](../../T1150/T1150.md) | [Disabling Security Tools](../../T1089/T1089.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Remote File Copy](../../T1105/T1105.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](../../T1064/T1064.md) | [Kernel Modules and Extensions](../../T1215/T1215.md) | [Process Injection](../../T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | [Network Sniffing](../../T1040/T1040.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](../../T1153/T1153.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Prompt](../../T1141/T1141.md) | [Password Policy Discovery](../../T1201/T1201.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](../../T1151/T1151.md) | [Launch Agent](../../T1159/T1159.md) | [Startup Items](../../T1165/T1165.md) | [File Deletion](../../T1107/T1107.md) | [Keychain](../../T1142/T1142.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1160/T1160.md) | [Sudo](../../T1169/T1169.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) | [Network Sniffing](../../T1040/T1040.md) | [Permission Groups Discovery](../../T1069/T1069.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Trap](../../T1154/T1154.md) | [Launchctl](../../T1152/T1152.md) | [Sudo Caching](../../T1206/T1206.md) | [Gatekeeper Bypass](../../T1144/T1144.md) | [Private Keys](../../T1145/T1145.md) | [Process Discovery](../../T1057/T1057.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [User Execution](../../T1204/T1204.md) | [Local Job Scheduling](../../T1168/T1168.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1148/T1148.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](../../T1100/T1100.md) | [Hidden Files and Directories](../../T1158/T1158.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1063/T1063.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Logon Scripts](../../T1037/T1037.md) |  | [Hidden Users](../../T1147/T1147.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Plist Modification](../../T1150/T1150.md) |  | [Hidden Window](../../T1143/T1143.md) |  | [System Information Discovery](../../T1082/T1082.md) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Configuration Discovery](../../T1016/T1016.md) |  |  |  | [Remote Access Tools](../../T1219/T1219.md) |
-|  |  | [Rc.common](../../T1163/T1163.md) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Remote File Copy](../../T1105/T1105.md) |
-|  |  | [Re-opened Applications](../../T1164/T1164.md) |  | [Install Root Certificate](../../T1130/T1130.md) |  | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | [Standard Application Layer Protocol](../../T1071/T1071.md) |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Standard Cryptographic Protocol](../../T1032/T1032.md) |
-|  |  | [Setuid and Setgid](../../T1166/T1166.md) |  | [Launchctl](../../T1152/T1152.md) |  |  |  |  |  | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) |
-|  |  | [Startup Items](../../T1165/T1165.md) |  | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  | [Uncommonly Used Port](../../T1065/T1065.md) |
-|  |  | [Trap](../../T1154/T1154.md) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  | [Web Service](../../T1102/T1102.md) |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Plist Modification](../../T1150/T1150.md) |  |  |  |  |  |  |
-|  |  | [Web Shell](../../T1100/T1100.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |
-|  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |
-|  |  |  |  | [Scripting](../../T1064/T1064.md) |  |  |  |  |  |  |
-|  |  |  |  | [Software Packing](../../T1045/T1045.md) |  |  |  |  |  |  |
-|  |  |  |  | [Space after Filename](../../T1151/T1151.md) |  |  |  |  |  |  |
-|  |  |  |  | [Timestomp](../../T1099/T1099.md) |  |  |  |  |  |  |
-|  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Web Service](../../T1102/T1102.md) |  |  |  |  |  |  |
+| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
+|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1155/T1155.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1009/T1009.md) | [Bash History](../../T1139/T1139.md) | [Account Discovery](../../T1087/T1087.md) | [AppleScript](../../T1155/T1155.md) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Browser Extensions](../../T1176/T1176.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1146/T1146.md) | [Brute Force](../../T1110/T1110.md) | [Application Window Discovery](../../T1010/T1010.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](../../T1136/T1136.md) | [Emond](../../T1519/T1519.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](../../T1003/T1003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1500/T1500.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1152/T1152.md) | [Emond](../../T1519/T1519.md) | [Launch Daemon](../../T1160/T1160.md) | [Connection Proxy](../../T1090/T1090.md) | [Credentials in Files](../../T1081/T1081.md) | [Network Service Scanning](../../T1046/T1046.md) | [Logon Scripts](../../T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](../../T1168/T1168.md) | [Hidden Files and Directories](../../T1158/T1158.md) | [Plist Modification](../../T1150/T1150.md) | [Disabling Security Tools](../../T1089/T1089.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Remote File Copy](../../T1105/T1105.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](../../T1064/T1064.md) | [Kernel Modules and Extensions](../../T1215/T1215.md) | [Process Injection](../../T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | [Network Sniffing](../../T1040/T1040.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](../../T1153/T1153.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Prompt](../../T1141/T1141.md) | [Password Policy Discovery](../../T1201/T1201.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](../../T1151/T1151.md) | [Launch Agent](../../T1159/T1159.md) | [Startup Items](../../T1165/T1165.md) | [File Deletion](../../T1107/T1107.md) | [Keychain](../../T1142/T1142.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+|  | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1160/T1160.md) | [Sudo](../../T1169/T1169.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) | [Network Sniffing](../../T1040/T1040.md) | [Permission Groups Discovery](../../T1069/T1069.md) |  | [Screen Capture](../../T1113/T1113.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Trap](../../T1154/T1154.md) | [Launchctl](../../T1152/T1152.md) | [Sudo Caching](../../T1206/T1206.md) | [Gatekeeper Bypass](../../T1144/T1144.md) | [Private Keys](../../T1145/T1145.md) | [Process Discovery](../../T1057/T1057.md) |  | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | [User Execution](../../T1204/T1204.md) | [Local Job Scheduling](../../T1168/T1168.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1148/T1148.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) |  |  |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](../../T1100/T1100.md) | [Hidden Files and Directories](../../T1158/T1158.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1063/T1063.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Logon Scripts](../../T1037/T1037.md) |  | [Hidden Users](../../T1147/T1147.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) |  |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  |  | [Plist Modification](../../T1150/T1150.md) |  | [Hidden Window](../../T1143/T1143.md) |  | [System Information Discovery](../../T1082/T1082.md) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Configuration Discovery](../../T1016/T1016.md) |  |  |  | [Remote Access Tools](../../T1219/T1219.md) |  |
+|  |  | [Rc.common](../../T1163/T1163.md) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Remote File Copy](../../T1105/T1105.md) |  |
+|  |  | [Re-opened Applications](../../T1164/T1164.md) |  | [Install Root Certificate](../../T1130/T1130.md) |  | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | [Standard Application Layer Protocol](../../T1071/T1071.md) |  |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Standard Cryptographic Protocol](../../T1032/T1032.md) |  |
+|  |  | [Setuid and Setgid](../../T1166/T1166.md) |  | [Launchctl](../../T1152/T1152.md) |  |  |  |  |  | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) |  |
+|  |  | [Startup Items](../../T1165/T1165.md) |  | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  | [Uncommonly Used Port](../../T1065/T1065.md) |  |
+|  |  | [Trap](../../T1154/T1154.md) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  | [Web Service](../../T1102/T1102.md) |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Plist Modification](../../T1150/T1150.md) |  |  |  |  |  |  |  |
+|  |  | [Web Shell](../../T1100/T1100.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Scripting](../../T1064/T1064.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Software Packing](../../T1045/T1045.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Space after Filename](../../T1151/T1151.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Timestomp](../../T1099/T1099.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Web Service](../../T1102/T1102.md) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/matrix.md

@@ -1,76 +1,76 @@
 # All Atomic Tests by ATT&CK Tactic & Technique
-| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
-|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1155/T1155.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Account Discovery](../../T1087/T1087.md) | [AppleScript](../../T1155/T1155.md) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1191/T1191.md) | [Accessibility Features](../../T1015/T1015.md) | [Accessibility Features](../../T1015/T1015.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1139/T1139.md) | [Application Window Discovery](../../T1010/T1010.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Account Manipulation](../../T1098/T1098.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | [Brute Force](../../T1110/T1110.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [Binary Padding](../../T1009/T1009.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [Application Shimming](../../T1138/T1138.md) | [Bypass User Account Control](../../T1088/T1088.md) | [Credential Dumping](../../T1003/T1003.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1193/T1193.md) | [Control Panel Items](../../T1196/T1196.md) | [Application Shimming](../../T1138/T1138.md) | [Bypass User Account Control](../../T1088/T1088.md) | [CMSTP](../../T1191/T1191.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1173/T1173.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Clear Command History](../../T1146/T1146.md) | [Credentials in Files](../../T1081/T1081.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Logon Scripts](../../T1037/T1037.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Registry](../../T1214/T1214.md) | [Network Service Scanning](../../T1046/T1046.md) | [Pass the Hash](../../T1075/T1075.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [Emond](../../T1519/T1519.md) | [Compiled HTML File](../../T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Desktop Protocol](../../T1076/T1076.md) | [Email Collection](../../T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Remote File Copy](../../T1105/T1105.md) | [Input Capture](../../T1056/T1056.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File System Permissions Weakness](../../T1044/T1044.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Launchctl](../../T1152/T1152.md) | [Create Account](../../T1136/T1136.md) | [Hooking](../../T1179/T1179.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Local Job Scheduling](../../T1168/T1168.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [DCShadow](../../T1207/T1207.md) | [Keychain](../../T1142/T1142.md) | [Query Registry](../../T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Mshta](../../T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1160/T1160.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Remote Access Tools](../../T1219/T1219.md) |
-|  | [PowerShell](../../T1086/T1086.md) | [Emond](../../T1519/T1519.md) | [New Service](../../T1050/T1050.md) | [DLL Side-Loading](../../T1073/T1073.md) | [Network Sniffing](../../T1040/T1040.md) | [Security Software Discovery](../../T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Remote File Copy](../../T1105/T1105.md) |
-|  | [Regsvcs/Regasm](../../T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1502/T1502.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Password Filter DLL](../../T1174/T1174.md) | [Software Discovery](../../T1518/T1518.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Standard Application Layer Protocol](../../T1071/T1071.md) |
-|  | [Regsvr32](../../T1117/T1117.md) | [File System Permissions Weakness](../../T1044/T1044.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](../../T1089/T1089.md) | [Private Keys](../../T1145/T1145.md) | [System Information Discovery](../../T1082/T1082.md) | [Windows Admin Shares](../../T1077/T1077.md) |  |  | [Standard Cryptographic Protocol](../../T1032/T1032.md) |
-|  | [Rundll32](../../T1085/T1085.md) | [Hidden Files and Directories](../../T1158/T1158.md) | [Plist Modification](../../T1150/T1150.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | [Windows Remote Management](../../T1028/T1028.md) |  |  | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) |
-|  | [Scheduled Task](../../T1053/T1053.md) | [Hooking](../../T1179/T1179.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Uncommonly Used Port](../../T1065/T1065.md) |
-|  | [Scripting](../../T1064/T1064.md) | [Hypervisor](../../T1062/T1062.md) | [PowerShell Profile](../../T1504/T1504.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | [Web Service](../../T1102/T1102.md) |
-|  | [Service Execution](../../T1035/T1035.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Process Injection](../../T1055/T1055.md) | [File Deletion](../../T1107/T1107.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](../../T1007/T1007.md) |  |  |  |  |
-|  | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  |  |
-|  | [Signed Script Proxy Execution](../../T1216/T1216.md) | [Kernel Modules and Extensions](../../T1215/T1215.md) | [Scheduled Task](../../T1053/T1053.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |
-|  | [Source](../../T1153/T1153.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](../../T1058/T1058.md) | [Gatekeeper Bypass](../../T1144/T1144.md) |  |  |  |  |  |  |
-|  | [Space after Filename](../../T1151/T1151.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1159/T1159.md) | [Startup Items](../../T1165/T1165.md) | [HISTCONTROL](../../T1148/T1148.md) |  |  |  |  |  |  |
-|  | [Trap](../../T1154/T1154.md) | [Launch Daemon](../../T1160/T1160.md) | [Sudo](../../T1169/T1169.md) | [Hidden Files and Directories](../../T1158/T1158.md) |  |  |  |  |  |  |
-|  | [Trusted Developer Utilities](../../T1127/T1127.md) | [Launchctl](../../T1152/T1152.md) | [Sudo Caching](../../T1206/T1206.md) | [Hidden Users](../../T1147/T1147.md) |  |  |  |  |  |  |
-|  | [User Execution](../../T1204/T1204.md) | [Local Job Scheduling](../../T1168/T1168.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1143/T1143.md) |  |  |  |  |  |  |
-|  | [Windows Management Instrumentation](../../T1047/T1047.md) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](../../T1100/T1100.md) | [Image File Execution Options Injection](../../T1183/T1183.md) |  |  |  |  |  |  |
-|  | [Windows Remote Management](../../T1028/T1028.md) | [Logon Scripts](../../T1037/T1037.md) |  | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  | [XSL Script Processing](../../T1220/T1220.md) | [Modify Existing Service](../../T1031/T1031.md) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [Netsh Helper DLL](../../T1128/T1128.md) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |
-|  |  | [New Service](../../T1050/T1050.md) |  | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |
-|  |  | [Office Application Startup](../../T1137/T1137.md) |  | [Install Root Certificate](../../T1130/T1130.md) |  |  |  |  |  |  |
-|  |  | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [InstallUtil](../../T1118/T1118.md) |  |  |  |  |  |  |
-|  |  | [Plist Modification](../../T1150/T1150.md) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Launchctl](../../T1152/T1152.md) |  |  |  |  |  |  |
-|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |
-|  |  | [PowerShell Profile](../../T1504/T1504.md) |  | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |
-|  |  | [Rc.common](../../T1163/T1163.md) |  | [Mshta](../../T1170/T1170.md) |  |  |  |  |  |  |
-|  |  | [Re-opened Applications](../../T1164/T1164.md) |  | [NTFS File Attributes](../../T1096/T1096.md) |  |  |  |  |  |  |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Network Share Connection Removal](../../T1126/T1126.md) |  |  |  |  |  |  |
-|  |  | [Registry Run Keys / Startup Folder](../../T1060/T1060.md) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |
-|  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Parent PID Spoofing](../../T1502/T1502.md) |  |  |  |  |  |  |
-|  |  | [Scheduled Task](../../T1053/T1053.md) |  | [Plist Modification](../../T1150/T1150.md) |  |  |  |  |  |  |
-|  |  | [Screensaver](../../T1180/T1180.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [Security Support Provider](../../T1101/T1101.md) |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [Server Software Component](../../T1505/T1505.md) |  | [Process Hollowing](../../T1093/T1093.md) |  |  |  |  |  |  |
-|  |  | [Service Registry Permissions Weakness](../../T1058/T1058.md) |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |
-|  |  | [Setuid and Setgid](../../T1166/T1166.md) |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [Shortcut Modification](../../T1023/T1023.md) |  | [Regsvcs/Regasm](../../T1121/T1121.md) |  |  |  |  |  |  |
-|  |  | [Startup Items](../../T1165/T1165.md) |  | [Regsvr32](../../T1117/T1117.md) |  |  |  |  |  |  |
-|  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [Systemd Service](../../T1501/T1501.md) |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |
-|  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Rundll32](../../T1085/T1085.md) |  |  |  |  |  |  |
-|  |  | [Trap](../../T1154/T1154.md) |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Scripting](../../T1064/T1064.md) |  |  |  |  |  |  |
-|  |  | [Web Shell](../../T1100/T1100.md) |  | [Signed Binary Proxy Execution](../../T1218/T1218.md) |  |  |  |  |  |  |
-|  |  | [Windows Management Instrumentation Event Subscription](../../T1084/T1084.md) |  | [Signed Script Proxy Execution](../../T1216/T1216.md) |  |  |  |  |  |  |
-|  |  | [Winlogon Helper DLL](../../T1004/T1004.md) |  | [Software Packing](../../T1045/T1045.md) |  |  |  |  |  |  |
-|  |  |  |  | [Space after Filename](../../T1151/T1151.md) |  |  |  |  |  |  |
-|  |  |  |  | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Timestomp](../../T1099/T1099.md) |  |  |  |  |  |  |
-|  |  |  |  | [Trusted Developer Utilities](../../T1127/T1127.md) |  |  |  |  |  |  |
-|  |  |  |  | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Web Service](../../T1102/T1102.md) |  |  |  |  |  |  |
-|  |  |  |  | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [XSL Script Processing](../../T1220/T1220.md) |  |  |  |  |  |  |
+| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
+|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1155/T1155.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Account Discovery](../../T1087/T1087.md) | [AppleScript](../../T1155/T1155.md) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1191/T1191.md) | [Accessibility Features](../../T1015/T1015.md) | [Accessibility Features](../../T1015/T1015.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1139/T1139.md) | [Application Window Discovery](../../T1010/T1010.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Account Manipulation](../../T1098/T1098.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | [Brute Force](../../T1110/T1110.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [Binary Padding](../../T1009/T1009.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [Application Shimming](../../T1138/T1138.md) | [Bypass User Account Control](../../T1088/T1088.md) | [Credential Dumping](../../T1003/T1003.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1193/T1193.md) | [Control Panel Items](../../T1196/T1196.md) | [Application Shimming](../../T1138/T1138.md) | [Bypass User Account Control](../../T1088/T1088.md) | [CMSTP](../../T1191/T1191.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1173/T1173.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Clear Command History](../../T1146/T1146.md) | [Credentials in Files](../../T1081/T1081.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Logon Scripts](../../T1037/T1037.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Registry](../../T1214/T1214.md) | [Network Service Scanning](../../T1046/T1046.md) | [Pass the Hash](../../T1075/T1075.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [Emond](../../T1519/T1519.md) | [Compiled HTML File](../../T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Desktop Protocol](../../T1076/T1076.md) | [Email Collection](../../T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Remote File Copy](../../T1105/T1105.md) | [Input Capture](../../T1056/T1056.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File System Permissions Weakness](../../T1044/T1044.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+|  | [Launchctl](../../T1152/T1152.md) | [Create Account](../../T1136/T1136.md) | [Hooking](../../T1179/T1179.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Local Job Scheduling](../../T1168/T1168.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [DCShadow](../../T1207/T1207.md) | [Keychain](../../T1142/T1142.md) | [Query Registry](../../T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  | [Mshta](../../T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1160/T1160.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Remote Access Tools](../../T1219/T1219.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [PowerShell](../../T1086/T1086.md) | [Emond](../../T1519/T1519.md) | [New Service](../../T1050/T1050.md) | [DLL Side-Loading](../../T1073/T1073.md) | [Network Sniffing](../../T1040/T1040.md) | [Security Software Discovery](../../T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Remote File Copy](../../T1105/T1105.md) |  |
+|  | [Regsvcs/Regasm](../../T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1502/T1502.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Password Filter DLL](../../T1174/T1174.md) | [Software Discovery](../../T1518/T1518.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Standard Application Layer Protocol](../../T1071/T1071.md) |  |
+|  | [Regsvr32](../../T1117/T1117.md) | [File System Permissions Weakness](../../T1044/T1044.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](../../T1089/T1089.md) | [Private Keys](../../T1145/T1145.md) | [System Information Discovery](../../T1082/T1082.md) | [Windows Admin Shares](../../T1077/T1077.md) |  |  | [Standard Cryptographic Protocol](../../T1032/T1032.md) |  |
+|  | [Rundll32](../../T1085/T1085.md) | [Hidden Files and Directories](../../T1158/T1158.md) | [Plist Modification](../../T1150/T1150.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | [Windows Remote Management](../../T1028/T1028.md) |  |  | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) |  |
+|  | [Scheduled Task](../../T1053/T1053.md) | [Hooking](../../T1179/T1179.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Uncommonly Used Port](../../T1065/T1065.md) |  |
+|  | [Scripting](../../T1064/T1064.md) | [Hypervisor](../../T1062/T1062.md) | [PowerShell Profile](../../T1504/T1504.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | [Web Service](../../T1102/T1102.md) |  |
+|  | [Service Execution](../../T1035/T1035.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Process Injection](../../T1055/T1055.md) | [File Deletion](../../T1107/T1107.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](../../T1007/T1007.md) |  |  |  |  |  |
+|  | [Signed Binary Proxy Execution](../../T1218/T1218.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  |  |  |
+|  | [Signed Script Proxy Execution](../../T1216/T1216.md) | [Kernel Modules and Extensions](../../T1215/T1215.md) | [Scheduled Task](../../T1053/T1053.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |
+|  | [Source](../../T1153/T1153.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](../../T1058/T1058.md) | [Gatekeeper Bypass](../../T1144/T1144.md) |  |  |  |  |  |  |  |
+|  | [Space after Filename](../../T1151/T1151.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1159/T1159.md) | [Startup Items](../../T1165/T1165.md) | [HISTCONTROL](../../T1148/T1148.md) |  |  |  |  |  |  |  |
+|  | [Trap](../../T1154/T1154.md) | [Launch Daemon](../../T1160/T1160.md) | [Sudo](../../T1169/T1169.md) | [Hidden Files and Directories](../../T1158/T1158.md) |  |  |  |  |  |  |  |
+|  | [Trusted Developer Utilities](../../T1127/T1127.md) | [Launchctl](../../T1152/T1152.md) | [Sudo Caching](../../T1206/T1206.md) | [Hidden Users](../../T1147/T1147.md) |  |  |  |  |  |  |  |
+|  | [User Execution](../../T1204/T1204.md) | [Local Job Scheduling](../../T1168/T1168.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1143/T1143.md) |  |  |  |  |  |  |  |
+|  | [Windows Management Instrumentation](../../T1047/T1047.md) | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](../../T1100/T1100.md) | [Image File Execution Options Injection](../../T1183/T1183.md) |  |  |  |  |  |  |  |
+|  | [Windows Remote Management](../../T1028/T1028.md) | [Logon Scripts](../../T1037/T1037.md) |  | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  | [XSL Script Processing](../../T1220/T1220.md) | [Modify Existing Service](../../T1031/T1031.md) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Netsh Helper DLL](../../T1128/T1128.md) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
+|  |  | [New Service](../../T1050/T1050.md) |  | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
+|  |  | [Office Application Startup](../../T1137/T1137.md) |  | [Install Root Certificate](../../T1130/T1130.md) |  |  |  |  |  |  |  |
+|  |  | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [InstallUtil](../../T1118/T1118.md) |  |  |  |  |  |  |  |
+|  |  | [Plist Modification](../../T1150/T1150.md) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Launchctl](../../T1152/T1152.md) |  |  |  |  |  |  |  |
+|  |  | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
+|  |  | [PowerShell Profile](../../T1504/T1504.md) |  | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
+|  |  | [Rc.common](../../T1163/T1163.md) |  | [Mshta](../../T1170/T1170.md) |  |  |  |  |  |  |  |
+|  |  | [Re-opened Applications](../../T1164/T1164.md) |  | [NTFS File Attributes](../../T1096/T1096.md) |  |  |  |  |  |  |  |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Network Share Connection Removal](../../T1126/T1126.md) |  |  |  |  |  |  |  |
+|  |  | [Registry Run Keys / Startup Folder](../../T1060/T1060.md) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
+|  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Parent PID Spoofing](../../T1502/T1502.md) |  |  |  |  |  |  |  |
+|  |  | [Scheduled Task](../../T1053/T1053.md) |  | [Plist Modification](../../T1150/T1150.md) |  |  |  |  |  |  |  |
+|  |  | [Screensaver](../../T1180/T1180.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Security Support Provider](../../T1101/T1101.md) |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Server Software Component](../../T1505/T1505.md) |  | [Process Hollowing](../../T1093/T1093.md) |  |  |  |  |  |  |  |
+|  |  | [Service Registry Permissions Weakness](../../T1058/T1058.md) |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |  |
+|  |  | [Setuid and Setgid](../../T1166/T1166.md) |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Shortcut Modification](../../T1023/T1023.md) |  | [Regsvcs/Regasm](../../T1121/T1121.md) |  |  |  |  |  |  |  |
+|  |  | [Startup Items](../../T1165/T1165.md) |  | [Regsvr32](../../T1117/T1117.md) |  |  |  |  |  |  |  |
+|  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Systemd Service](../../T1501/T1501.md) |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
+|  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Rundll32](../../T1085/T1085.md) |  |  |  |  |  |  |  |
+|  |  | [Trap](../../T1154/T1154.md) |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Scripting](../../T1064/T1064.md) |  |  |  |  |  |  |  |
+|  |  | [Web Shell](../../T1100/T1100.md) |  | [Signed Binary Proxy Execution](../../T1218/T1218.md) |  |  |  |  |  |  |  |
+|  |  | [Windows Management Instrumentation Event Subscription](../../T1084/T1084.md) |  | [Signed Script Proxy Execution](../../T1216/T1216.md) |  |  |  |  |  |  |  |
+|  |  | [Winlogon Helper DLL](../../T1004/T1004.md) |  | [Software Packing](../../T1045/T1045.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Space after Filename](../../T1151/T1151.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Timestomp](../../T1099/T1099.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Trusted Developer Utilities](../../T1127/T1127.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Web Service](../../T1102/T1102.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [XSL Script Processing](../../T1220/T1220.md) |  |  |  |  |  |  |  |

atomics/Indexes/Matrices/windows-matrix.md

@@ -1,63 +1,63 @@
 # Windows Atomic Tests by ATT&CK Tactic & Technique
-| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
-|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1191/T1191.md) | [Accessibility Features](../../T1015/T1015.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Account Discovery](../../T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Account Manipulation](../../T1098/T1098.md) | [Accessibility Features](../../T1015/T1015.md) | [BITS Jobs](../../T1197/T1197.md) | [Brute Force](../../T1110/T1110.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1009/T1009.md) | [Credential Dumping](../../T1003/T1003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [AppInit DLLs](../../T1103/T1103.md) | [Bypass User Account Control](../../T1088/T1088.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel Items](../../T1196/T1196.md) | [Application Shimming](../../T1138/T1138.md) | [Application Shimming](../../T1138/T1138.md) | [CMSTP](../../T1191/T1191.md) | [Credentials in Files](../../T1081/T1081.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Logon Scripts](../../T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1193/T1193.md) | [Dynamic Data Exchange](../../T1173/T1173.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Registry](../../T1214/T1214.md) | [Network Service Scanning](../../T1046/T1046.md) | [Pass the Hash](../../T1075/T1075.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Desktop Protocol](../../T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Remote File Copy](../../T1105/T1105.md) | [Email Collection](../../T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | [File System Permissions Weakness](../../T1044/T1044.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Mshta](../../T1170/T1170.md) | [Create Account](../../T1136/T1136.md) | [New Service](../../T1050/T1050.md) | [DCShadow](../../T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [PowerShell](../../T1086/T1086.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Parent PID Spoofing](../../T1502/T1502.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Network Sniffing](../../T1040/T1040.md) | [Remote System Discovery](../../T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Regsvcs/Regasm](../../T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1073/T1073.md) | [Password Filter DLL](../../T1174/T1174.md) | [Security Software Discovery](../../T1063/T1063.md) | [Windows Admin Shares](../../T1077/T1077.md) |  |  | [Remote Access Tools](../../T1219/T1219.md) |
-|  | [Regsvr32](../../T1117/T1117.md) | [File System Permissions Weakness](../../T1044/T1044.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Private Keys](../../T1145/T1145.md) | [Software Discovery](../../T1518/T1518.md) | [Windows Remote Management](../../T1028/T1028.md) |  |  | [Remote File Copy](../../T1105/T1105.md) |
-|  | [Rundll32](../../T1085/T1085.md) | [Hidden Files and Directories](../../T1158/T1158.md) | [PowerShell Profile](../../T1504/T1504.md) | [Disabling Security Tools](../../T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  |  |  | [Standard Application Layer Protocol](../../T1071/T1071.md) |
-|  | [Scheduled Task](../../T1053/T1053.md) | [Hooking](../../T1179/T1179.md) | [Process Injection](../../T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  |  |  | [Standard Cryptographic Protocol](../../T1032/T1032.md) |
-|  | [Scripting](../../T1064/T1064.md) | [Hypervisor](../../T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) |
-|  | [Service Execution](../../T1035/T1035.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Scheduled Task](../../T1053/T1053.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | [Uncommonly Used Port](../../T1065/T1065.md) |
-|  | [Signed Binary Proxy Execution](../../T1218/T1218.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](../../T1058/T1058.md) | [File Deletion](../../T1107/T1107.md) |  | [System Service Discovery](../../T1007/T1007.md) |  |  |  | [Web Service](../../T1102/T1102.md) |
-|  | [Signed Script Proxy Execution](../../T1216/T1216.md) | [Logon Scripts](../../T1037/T1037.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  |  |
-|  | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Existing Service](../../T1031/T1031.md) | [Web Shell](../../T1100/T1100.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |
-|  | [Trusted Developer Utilities](../../T1127/T1127.md) | [Netsh Helper DLL](../../T1128/T1128.md) |  | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  | [User Execution](../../T1204/T1204.md) | [New Service](../../T1050/T1050.md) |  | [Hidden Files and Directories](../../T1158/T1158.md) |  |  |  |  |  |  |
-|  | [Windows Management Instrumentation](../../T1047/T1047.md) | [Office Application Startup](../../T1137/T1137.md) |  | [Hidden Window](../../T1143/T1143.md) |  |  |  |  |  |  |
-|  | [Windows Remote Management](../../T1028/T1028.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Image File Execution Options Injection](../../T1183/T1183.md) |  |  |  |  |  |  |
-|  | [XSL Script Processing](../../T1220/T1220.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [PowerShell Profile](../../T1504/T1504.md) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |
-|  |  | [Registry Run Keys / Startup Folder](../../T1060/T1060.md) |  | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |
-|  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](../../T1130/T1130.md) |  |  |  |  |  |  |
-|  |  | [Scheduled Task](../../T1053/T1053.md) |  | [InstallUtil](../../T1118/T1118.md) |  |  |  |  |  |  |
-|  |  | [Screensaver](../../T1180/T1180.md) |  | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |
-|  |  | [Security Support Provider](../../T1101/T1101.md) |  | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |
-|  |  | [Server Software Component](../../T1505/T1505.md) |  | [Mshta](../../T1170/T1170.md) |  |  |  |  |  |  |
-|  |  | [Service Registry Permissions Weakness](../../T1058/T1058.md) |  | [NTFS File Attributes](../../T1096/T1096.md) |  |  |  |  |  |  |
-|  |  | [Shortcut Modification](../../T1023/T1023.md) |  | [Network Share Connection Removal](../../T1126/T1126.md) |  |  |  |  |  |  |
-|  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |
-|  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Parent PID Spoofing](../../T1502/T1502.md) |  |  |  |  |  |  |
-|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  | [Web Shell](../../T1100/T1100.md) |  | [Process Hollowing](../../T1093/T1093.md) |  |  |  |  |  |  |
-|  |  | [Windows Management Instrumentation Event Subscription](../../T1084/T1084.md) |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |
-|  |  | [Winlogon Helper DLL](../../T1004/T1004.md) |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Regsvcs/Regasm](../../T1121/T1121.md) |  |  |  |  |  |  |
-|  |  |  |  | [Regsvr32](../../T1117/T1117.md) |  |  |  |  |  |  |
-|  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |
-|  |  |  |  | [Rundll32](../../T1085/T1085.md) |  |  |  |  |  |  |
-|  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Scripting](../../T1064/T1064.md) |  |  |  |  |  |  |
-|  |  |  |  | [Signed Binary Proxy Execution](../../T1218/T1218.md) |  |  |  |  |  |  |
-|  |  |  |  | [Signed Script Proxy Execution](../../T1216/T1216.md) |  |  |  |  |  |  |
-|  |  |  |  | [Software Packing](../../T1045/T1045.md) |  |  |  |  |  |  |
-|  |  |  |  | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Timestomp](../../T1099/T1099.md) |  |  |  |  |  |  |
-|  |  |  |  | [Trusted Developer Utilities](../../T1127/T1127.md) |  |  |  |  |  |  |
-|  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |
-|  |  |  |  | [Web Service](../../T1102/T1102.md) |  |  |  |  |  |  |
-|  |  |  |  | [XSL Script Processing](../../T1220/T1220.md) |  |  |  |  |  |  |
+| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
+|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
+| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1191/T1191.md) | [Accessibility Features](../../T1015/T1015.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Account Discovery](../../T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Account Manipulation](../../T1098/T1098.md) | [Accessibility Features](../../T1015/T1015.md) | [BITS Jobs](../../T1197/T1197.md) | [Brute Force](../../T1110/T1110.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
+| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1009/T1009.md) | [Credential Dumping](../../T1003/T1003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [AppInit DLLs](../../T1103/T1103.md) | [Bypass User Account Control](../../T1088/T1088.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel Items](../../T1196/T1196.md) | [Application Shimming](../../T1138/T1138.md) | [Application Shimming](../../T1138/T1138.md) | [CMSTP](../../T1191/T1191.md) | [Credentials in Files](../../T1081/T1081.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Logon Scripts](../../T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| [Spearphishing Attachment](../../T1193/T1193.md) | [Dynamic Data Exchange](../../T1173/T1173.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Registry](../../T1214/T1214.md) | [Network Service Scanning](../../T1046/T1046.md) | [Pass the Hash](../../T1075/T1075.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Desktop Protocol](../../T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Remote File Copy](../../T1105/T1105.md) | [Email Collection](../../T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | [File System Permissions Weakness](../../T1044/T1044.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
+|  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Mshta](../../T1170/T1170.md) | [Create Account](../../T1136/T1136.md) | [New Service](../../T1050/T1050.md) | [DCShadow](../../T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+|  | [PowerShell](../../T1086/T1086.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Parent PID Spoofing](../../T1502/T1502.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Network Sniffing](../../T1040/T1040.md) | [Remote System Discovery](../../T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Regsvcs/Regasm](../../T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1073/T1073.md) | [Password Filter DLL](../../T1174/T1174.md) | [Security Software Discovery](../../T1063/T1063.md) | [Windows Admin Shares](../../T1077/T1077.md) |  |  | [Remote Access Tools](../../T1219/T1219.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
+|  | [Regsvr32](../../T1117/T1117.md) | [File System Permissions Weakness](../../T1044/T1044.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [Private Keys](../../T1145/T1145.md) | [Software Discovery](../../T1518/T1518.md) | [Windows Remote Management](../../T1028/T1028.md) |  |  | [Remote File Copy](../../T1105/T1105.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Rundll32](../../T1085/T1085.md) | [Hidden Files and Directories](../../T1158/T1158.md) | [PowerShell Profile](../../T1504/T1504.md) | [Disabling Security Tools](../../T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) |  |  |  | [Standard Application Layer Protocol](../../T1071/T1071.md) |  |
+|  | [Scheduled Task](../../T1053/T1053.md) | [Hooking](../../T1179/T1179.md) | [Process Injection](../../T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  |  |  | [Standard Cryptographic Protocol](../../T1032/T1032.md) |  |
+|  | [Scripting](../../T1064/T1064.md) | [Hypervisor](../../T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Connections Discovery](../../T1049/T1049.md) |  |  |  | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) |  |
+|  | [Service Execution](../../T1035/T1035.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Scheduled Task](../../T1053/T1053.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Owner/User Discovery](../../T1033/T1033.md) |  |  |  | [Uncommonly Used Port](../../T1065/T1065.md) |  |
+|  | [Signed Binary Proxy Execution](../../T1218/T1218.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](../../T1058/T1058.md) | [File Deletion](../../T1107/T1107.md) |  | [System Service Discovery](../../T1007/T1007.md) |  |  |  | [Web Service](../../T1102/T1102.md) |  |
+|  | [Signed Script Proxy Execution](../../T1216/T1216.md) | [Logon Scripts](../../T1037/T1037.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Time Discovery](../../T1124/T1124.md) |  |  |  |  |  |
+|  | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Existing Service](../../T1031/T1031.md) | [Web Shell](../../T1100/T1100.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |
+|  | [Trusted Developer Utilities](../../T1127/T1127.md) | [Netsh Helper DLL](../../T1128/T1128.md) |  | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  | [User Execution](../../T1204/T1204.md) | [New Service](../../T1050/T1050.md) |  | [Hidden Files and Directories](../../T1158/T1158.md) |  |  |  |  |  |  |  |
+|  | [Windows Management Instrumentation](../../T1047/T1047.md) | [Office Application Startup](../../T1137/T1137.md) |  | [Hidden Window](../../T1143/T1143.md) |  |  |  |  |  |  |  |
+|  | [Windows Remote Management](../../T1028/T1028.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Image File Execution Options Injection](../../T1183/T1183.md) |  |  |  |  |  |  |  |
+|  | [XSL Script Processing](../../T1220/T1220.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [PowerShell Profile](../../T1504/T1504.md) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Indicator Removal on Host](../../T1070/T1070.md) |  |  |  |  |  |  |  |
+|  |  | [Registry Run Keys / Startup Folder](../../T1060/T1060.md) |  | [Indirect Command Execution](../../T1202/T1202.md) |  |  |  |  |  |  |  |
+|  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Install Root Certificate](../../T1130/T1130.md) |  |  |  |  |  |  |  |
+|  |  | [Scheduled Task](../../T1053/T1053.md) |  | [InstallUtil](../../T1118/T1118.md) |  |  |  |  |  |  |  |
+|  |  | [Screensaver](../../T1180/T1180.md) |  | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
+|  |  | [Security Support Provider](../../T1101/T1101.md) |  | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
+|  |  | [Server Software Component](../../T1505/T1505.md) |  | [Mshta](../../T1170/T1170.md) |  |  |  |  |  |  |  |
+|  |  | [Service Registry Permissions Weakness](../../T1058/T1058.md) |  | [NTFS File Attributes](../../T1096/T1096.md) |  |  |  |  |  |  |  |
+|  |  | [Shortcut Modification](../../T1023/T1023.md) |  | [Network Share Connection Removal](../../T1126/T1126.md) |  |  |  |  |  |  |  |
+|  |  | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Obfuscated Files or Information](../../T1027/T1027.md) |  |  |  |  |  |  |  |
+|  |  | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Parent PID Spoofing](../../T1502/T1502.md) |  |  |  |  |  |  |  |
+|  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  | [Web Shell](../../T1100/T1100.md) |  | [Process Hollowing](../../T1093/T1093.md) |  |  |  |  |  |  |  |
+|  |  | [Windows Management Instrumentation Event Subscription](../../T1084/T1084.md) |  | [Process Injection](../../T1055/T1055.md) |  |  |  |  |  |  |  |
+|  |  | [Winlogon Helper DLL](../../T1004/T1004.md) |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Regsvcs/Regasm](../../T1121/T1121.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Regsvr32](../../T1117/T1117.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Rootkit](../../T1014/T1014.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Rundll32](../../T1085/T1085.md) |  |  |  |  |  |  |  |
+|  |  |  |  | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Scripting](../../T1064/T1064.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Signed Binary Proxy Execution](../../T1218/T1218.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Signed Script Proxy Execution](../../T1216/T1216.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Software Packing](../../T1045/T1045.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Timestomp](../../T1099/T1099.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [Trusted Developer Utilities](../../T1127/T1127.md) |  |  |  |  |  |  |  |
+|  |  |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  |  |  |
+|  |  |  |  | [Web Service](../../T1102/T1102.md) |  |  |  |  |  |  |  |
+|  |  |  |  | [XSL Script Processing](../../T1220/T1220.md) |  |  |  |  |  |  |  |