name: Windows.AttackSimulation.AtomicRedTeam author: SOCFortress LLC description: | This artifact is mostly based off of Wes Lambert -- @therealwlambert. https://docs.velociraptor.app/exchange/artifacts/pages/windows.attacksimulation.atomicredteam/ This artifact allows you to run Atomic Red Team tests on Windows endpoints using Invoke-AtomicRedTeam. Linux and MacOS endpoints will soon be supported. NOTE: All tests may not work out OOB. You may notice interference or inoperability of some tests with Windows Defender/antivirus/EDR enabled. Best-effort checks are made using the built-in **-GetPreReqs** flag. This is an initial PoC, and as such, much testing is needed, and feedback is welcome. **Reference:** https://github.com/redcanaryco/invoke-atomicredteam **Description:** Invoke-AtomicRedTeam is a PowerShell module to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project. The "atomics folder" contains a folder for each Technique defined by the MITRE ATT&CK™ Framework. Inside of each of these "T#" folders you'll find a yaml file that defines the attack procedures for each atomic test as well as an easier to read markdown (md) version of the same data. - Executing atomic tests may leave your system in an undesirable state. You are responsible for understanding what a test does before executing. - Ensure you have permission to test before you begin. - It is recommended to set up a test machine for atomic test execution that is similar to the build in your environment. Be sure you have your collection/EDR solution in place, and that the endpoint is checking in and active. type: CLIENT column_types: - name: Technique type: safe_url parameters: - name: InstallART description: Install AtomicRedTeam Execution Framework (Choose this for the first run, then de-select thereafter) default: Y type: bool - name: ExecutionLogFile description: Path to log file (CSV) for executions by ART tests default: C:\Windows\Temp\ARTExec.csv - name: EnsureExecLog description: Create ExecutionLogFile if it does not exist first default: Y type: bool - name: RemoveExecLog description: Remove execution log before running artifact (in the event we don't want to intertwine results from previous tests) default: Y type: bool - name: Cleanup description: Clean up execution artifacts default: N type: bool - name: RunAll description: NOT RECOMMENDED...USE WITH CAUTION - Run all ART tests default: N type: bool - name: T1620 - 1 description: Reflectively load Mimik@tz into memory using WinPwn type: bool - name: T1615 - 1 description: Display group policy information via gpresult type: bool - name: T1615 - 2 description: Get-DomainGPO to display group policy information via PowerView type: bool - name: T1615 - 3 description: WinPwn - GPOAudit type: bool - name: T1615 - 4 description: WinPwn - GPORemoteAccessPolicy type: bool - name: T1615 - 5 description: MSFT Get-GPO Cmdlet type: bool - name: T1595.003 - 1 description: Web Server Wordlist Scan type: bool - name: T1592.001 - 1 description: Enumerate PlugNPlay Camera type: bool - name: T1574.008 - 1 description: powerShell Persistence via hijacking default modules - Get-Variable.exe type: bool - name: T1570 - 1 description: Exfiltration Over SMB over QUIC (New-SmbMapping) type: bool - name: T1570 - 2 description: Exfiltration Over SMB over QUIC (NET USE) type: bool - name: T1567.003 - 1 description: Exfiltrate data with HTTP POST to text storage sites - pastebin.com (Windows) type: bool - name: T1567.002 - 1 description: Exfiltrate data with rclone to cloud Storage - Mega (Windows) type: bool - name: T1566.002 - 1 description: Paste and run technique (Win+R with encoded PowerShell command) type: bool - name: T1564.006 - 1 description: Register Portable Virtualbox (Maze ransomware technique) type: bool - name: T1564.006 - 2 description: Create and start VirtualBox virtual machine type: bool - name: T1564.006 - 3 description: Create and start Hyper-V virtual machine type: bool - name: T1564.002 - 3 description: Create Hidden User in Registry type: bool - name: T1562 - 1 description: Windows Disable LSA Protection type: bool - name: T1562.010 - 2 description: ESXi - Change VIB acceptance level to CommunitySupported via ESXCLI (Executed from Windows) type: bool - name: T1562.010 - 3 description: PowerShell Version 2 Downgrade type: bool - name: T1562.009 - 1 description: Safe Mode Boot type: bool - name: T1562.006 - 5 description: Disable Powershell ETW Provider - Windows type: bool - name: T1562.006 - 6 description: Disable .NET Event Tracing for Windows Via Registry (cmd) type: bool - name: T1562.006 - 7 description: Disable .NET Event Tracing for Windows Via Registry (powershell) type: bool - name: T1562.006 - 8 description: LockBit Black - Disable the ETW Provider of Windows Defender -cmd type: bool - name: T1562.006 - 9 description: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell type: bool - name: T1562.006 - 10 description: Disable .NET ETW via Env Variable HKCU Registry - Cmd type: bool - name: T1562.006 - 11 description: Disable .NET ETW via Env Variable HKCU Registry - PowerShell type: bool - name: T1562.006 - 12 description: Disable .NET ETW via Env Variable HKLM Registry - Cmd type: bool - name: T1562.006 - 13 description: Disable .NET ETW via Env Variable HKLM Registry - PowerShell type: bool - name: T1562.006 - 14 description: Block Cybersecurity communication via NRPT type: bool - name: T1562.003 - 11 description: Disable Windows Command Line Auditing using reg.exe type: bool - name: T1562.003 - 12 description: Disable Windows Command Line Auditing using PowerShell Cmdlet type: bool - name: T1558.002 - 1 description: Crafting Active Directory silver tickets with mimikatz type: bool - name: T1557.001 - 1 description: LLMNR Poisoning with Inveigh (PowerShell) type: bool - name: T1555.004 - 1 description: Access Saved Credentials via VaultCmd type: bool - name: T1555.004 - 2 description: WinPwn - Loot local Credentials - Invoke-WCMDump type: bool - name: T1553.003 - 1 description: SIP (Subject Interface Package) Hijacking via Custom DLL type: bool - name: T1547.015 - 1 description: Persistence by modifying Windows Terminal profile type: bool - name: T1547.014 - 1 description: HKLM - Add atomic_test key to launch executable as part of user setup type: bool - name: T1547.014 - 2 description: HKLM - Add malicious StubPath value to existing Active Setup Entry type: bool - name: T1547.014 - 3 description: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number type: bool - name: T1547.012 - 1 description: Print Processors type: bool - name: T1547.008 - 1 description: Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt type: bool - name: T1547.006 - 4 description: Snake Malware Kernel Driver Comadmin type: bool - name: T1547.003 - 1 description: Create a new time provider type: bool - name: T1547.003 - 2 description: Edit an existing time provider type: bool - name: T1547.002 - 1 description: Authentication Package type: bool - name: T1553.006 - 1 description: Code Signing Policy Modification type: bool - name: T1546.015 - 1 description: COM Hijacking - InprocServer32 type: bool - name: T1622 - 1 description: Detect a debugger presence in the machine via PowerShell type: bool - name: T1546.015 - 2 description: Powershell Execute COM Object type: bool - name: T1546.015 - 3 description: COM Hijacking with RunDLL32 (Local Server Switch) type: bool - name: T1546.015 - 4 description: COM hijacking via TreatAs type: bool - name: T1546.009 - 1 description: Create registry persistence via AppCert DLL type: bool - name: T1542.001 - 1 description: UEFI Persistence via Wpbbin.exe File Creation type: bool - name: T1539 - 1 description: Steal Firefox Cookies (Windows) type: bool - name: T1539 - 2 description: Steal Chrome Cookies (Windows) type: bool - name: T1539 - 4 description: Steal Chrome v127+ cookies via Remote Debugging (Windows) type: bool - name: T1505.004 - 1 description: Install IIS Module using AppCmd.exe type: bool - name: T1505.004 - 2 description: Install IIS Module using PowerShell Cmdlet New-WebGlobalModule type: bool - name: T1505.005 - 1 description: Simulate Patching termsrv.dll type: bool - name: T1505.005 - 2 description: Modify Terminal Services DLL Path type: bool - name: T1204.003 - 1 description: Malicious Execution from Mounted ISO Image type: bool - name: T1195 - 1 description: Octopus Scanner Malware Open Source Supply Chain type: bool - name: T1137.001 - 1 description: Injecting a Macro into the Word Normal.dotm Template for Persistence via PowerShell type: bool - name: T1129 - 1 description: ESXi - Install a custom VIB on an ESXi host type: bool - name: T1134.005 - 1 description: Injection SID-History with mimikatz type: bool - name: T1125 - 1 description: Registry artefact when application use webcam type: bool - name: T1110.004 - 4 description: Brute Force:Credential Stuffing using Kerbrute Tool type: bool - name: T1090.003 - 1 description: Psiphon type: bool - name: T1091 - 1 description: USB Malware Spread Simulation type: bool - name: T1090.003 - 2 description: Tor Proxy Usage - Windows type: bool - name: T1070.008 - 1 description: Copy and Delete Mailbox Data on Windows type: bool - name: T1070.008 - 4 description: Copy and Modify Mailbox Data on Windows type: bool - name: T1059.010 - 1 description: AutoHotKey script execution type: bool - name: T1059.007 - 1 description: JScript execution to gather local computer information via cscript type: bool - name: T1059.007 - 2 description: JScript execution to gather local computer information via wscript type: bool - name: T1055.015 - 1 description: Process injection ListPlanting type: bool - name: T1055.011 - 1 description: Process Injection via Extra Window Memory (EWM) x64 executable type: bool - name: T1055.002 - 1 description: Portable Executable Injection type: bool - name: T1039 - 1 description: Copy a sensitive File over Administrative share with copy type: bool - name: T1039 - 2 description: Copy a sensitive File over Administrative share with Powershell type: bool - name: T1055.003 - 1 description: Thread Execution Hijacking type: bool - name: T1036.007 - 1 description: File Extension Masquerading type: bool - name: T1030 - 1 description: Network-Based Data Transfer in Small Chunks type: bool - name: T1027.007 - 1 description: Dynamic API Resolution-Ninja-syscall type: bool - name: T1027.006 - 1 description: HTML Smuggling Remote Payload type: bool - name: T1025 - 1 description: Identify Documents on USB and Removable Media via PowerShell type: bool - name: T1021.004 - 1 description: ESXi - Enable SSH via PowerCLI type: bool - name: T1021.004 - 2 description: ESXi - Enable SSH via VIM-CMD type: bool - name: T1016.002 - 1 description: Enumerate Stored Wi-Fi Profiles And Passwords via netsh type: bool - name: T1016.001 - 1 description: Check internet connection using ping Windows type: bool - name: T1016.001 - 3 description: Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping) type: bool - name: T1016.001 - 4 description: Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP) type: bool - name: T1016.001 - 5 description: Check internet connection using Test-NetConnection in PowerShell (TCP-SMB) Messages type: bool - name: T1003.005 - 1 description: Cached Credential Dump via Cmdkey type: bool - name: T1005 - 1 description: Search files of interest and save them to a single zip file (Windows) type: bool - name: T1558.004 - 1 description: AS-REP Roasting - Rubeus asreproast type: bool - name: T1558.004 - 2 description: Get-DomainUser with PowerView type: bool - name: T1558.004 - 3 description: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus type: bool - name: T1056.004 - 1 description: Credential API Hooking - Hook PowerShell TLS Encrypt/Decrypt Messages type: bool - name: T1552.001 - 4 description: Extracting passwords with findstr type: bool - name: T1552.001 - 5 description: Access unattend.xml type: bool - name: T1552.001 - 7 description: WinPwn - sensitivefiles type: bool - name: T1552.001 - 8 description: WinPwn - Snaffler type: bool - name: T1552.001 - 9 description: WinPwn - powershellsensitive type: bool - name: T1552.001 - 10 description: WinPwn - passhunt type: bool - name: T1552.001 - 11 description: WinPwn - SessionGopher type: bool - name: T1552.001 - 12 description: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials type: bool - name: T1552.001 - 13 description: List Credential Files via PowerShell type: bool - name: T1552.001 - 14 description: List Credential Files via Command Prompt type: bool - name: T1555 - 1 description: Credentials from Password Stores - Extract Windows Credential Manager via VBA type: bool - name: T1555 - 2 description: Credentials from Password Stores - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] type: bool - name: T1555 - 3 description: Credentials from Password Stores - Dump credentials from Windows Credential Manager With PowerShell [web Credentials] type: bool - name: T1555 - 4 description: Credentials from Password Stores - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] type: bool - name: T1555 - 5 description: Credentials from Password Stores - Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] type: bool - name: T1555 - 6 description: WinPwn - Loot local Credentials - lazagne type: bool - name: T1555 - 7 description: WinPwn - Loot local Credentials - Wifi Credentials type: bool - name: T1555 - 8 description: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords type: bool - name: T1555.003 - 1 description: Credentials from Web Browsers - Run Chrome-password Collector type: bool - name: T1555.003 - 3 description: Credentials from Web Browsers - LaZagne - Credentials from Browser type: bool - name: T1555.003 - 4 description: Credentials from Web Browsers - Simulating access to Chrome Login Data type: bool - name: T1555.003 - 5 description: Simulating access to Opera Login Data type: bool - name: T1555.003 - 6 description: Simulating access to Windows Firefox Login Data type: bool - name: T1555.003 - 7 description: Simulating access to Windows Edge Login Data type: bool - name: T1555.003 - 8 description: Decrypt Mozilla Passwords with Firepwd.py type: bool - name: T1555.003 - 10 description: Stage Popular Credential Files for Exfiltration type: bool - name: T1555.003 - 11 description: WinPwn - BrowserPwn type: bool - name: T1555.003 - 12 description: WinPwn - Loot local Credentials - mimi-kittenz type: bool - name: T1555.003 - 13 description: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials type: bool - name: T1555.003 - 15 description: WebBrowserPassView - Credentials from Browser type: bool - name: T1555.003 - 16 description: BrowserStealer (Chrome / Firefox / Microsoft Edge) type: bool - name: T1555.003 - 17 description: Dump Chrome Login Data with esentutl type: bool - name: T1552.002 - 1 description: Credentials in Registry - Enumeration for Credentials in Registry type: bool - name: T1552.002 - 2 description: Credentials in Registry - Enumeration for PuTTY Credentials in Registry type: bool - name: T1003.006 - 1 description: DCSync - DCSync (Active Directory) type: bool - name: T1003.006 - 2 description: Run DSInternals Get-ADReplAccount type: bool - name: T1187 - 1 description: Forced Authentication - PetitPotam type: bool - name: T1187 - 2 description: WinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS type: bool - name: T1187 - 3 description: Trigger an authenticated RPC call to a target server with no Sign flag set type: bool - name: T1056.002 - 2 description: GUI Input Capture - PowerShell - Prompt User for Password type: bool - name: T1558.001 - 1 description: Golden Ticket - Crafting Active Directory golden tickets with mimikatz type: bool - name: T1558.001 - 2 description: Crafting Active Directory golden tickets with Rubeus type: bool - name: T1552.006 - 1 description: Group Policy Preferences - GPP Passwords (findstr) type: bool - name: T1552.006 - 2 description: Group Policy Preferences - GPP Passwords (Get-GPPPassword) type: bool - name: T1558.003 - 1 description: Kerberoasting - Request for service tickets type: bool - name: T1558.003 - 2 description: Kerberoasting - Rubeus kerberoast type: bool - name: T1558.003 - 3 description: Kerberoasting - Extract all accounts in use as SPN using setspn type: bool - name: T1558.003 - 4 description: Kerberoasting - Request A Single Ticket via PowerShell type: bool - name: T1558.003 - 5 description: Kerberoasting - Request All Tickets via PowerShell type: bool - name: T1558.003 - 6 description: WinPwn - Kerberoasting type: bool - name: T1558.003 - 7 description: WinPwn - PowerSharpPack - Kerberoasting Using Rubeus type: bool - name: T1056.001 - 1 description: Keylogging - Input Capture type: bool - name: T1003.004 - 1 description: LSA Secrets - Dumping LSA Secrets type: bool - name: T1003.004 - 2 description: Dump Kerberos Tickets from LSA using dumper.ps1 type: bool - name: T1003.001 - 13 description: Dump LSASS.exe using lolbin rdrleakdiag.exe type: bool - name: T1003.001 - 14 description: Dump LSASS.exe Memory through Silent Process Exit type: bool - name: T1003.001 - 1 description: LSASS Memory - Windows Credential Editor type: bool - name: T1003.001 - 2 description: LSASS Memory - Dump LSASS.exe Memory using ProcDump type: bool - name: T1003.001 - 3 description: LSASS Memory - Dump LSASS.exe Memory using comsvcs.dll type: bool - name: T1003.001 - 4 description: LSASS Memory - Dump LSASS.exe Memory using direct system calls and API unhooking type: bool - name: T1003.001 - 5 description: LSASS Memory - Dump LSASS.exe Memory using Windows Task Manager type: bool - name: T1003.001 - 6 description: LSASS Memory - Offline Credential Theft With Mimikatz type: bool - name: T1003.001 - 7 description: LSASS Memory - LSASS read with pypykatz type: bool - name: T1003.001 - 8 description: LSASS Memory - Dump LSASS.exe Memory using Out-Minidump.ps1 type: bool - name: T1003.001 - 9 description: LSASS Memory - Create Mini Dump of LSASS.exe using ProcDump type: bool - name: T1003.001 - 10 description: LSASS Memory - Powershell Mimikatz type: bool - name: T1003.001 - 11 description: LSASS Memory - Dump LSASS with .Net 5 createdump.exe type: bool - name: T1003.001 - 12 description: LSASS Memory - Dump LSASS.exe using imported Microsoft DLLs type: bool - name: T1003.003 - 1 description: NTDS - Create Volume Shadow Copy with vssadmin type: bool - name: T1003.003 - 2 description: NTDS - Copy NTDS.dit from Volume Shadow Copy type: bool - name: T1003.003 - 3 description: NTDS - Dump Active Directory Database with NTDSUtil type: bool - name: T1003.003 - 4 description: NTDS - Create Volume Shadow Copy with WMI type: bool - name: T1003.003 - 5 description: NTDS - Create Volume Shadow Copy remotely with WMI type: bool - name: T1003.003 - 6 description: NTDS - Create Volume Shadow Copy with Powershell type: bool - name: T1003.003 - 7 description: NTDS - Create Symlink to Volume Shadow Copy type: bool - name: T1003.003 - 8 description: Create Symlink to Volume Shadow Copy type: bool - name: T1003.003 - 9 description: Create Volume Shadow Copy with diskshadow type: bool - name: T1040 - 4 description: Network Sniffing - Packet Capture Windows Command Prompt type: bool - name: T1040 - 5 description: Network Sniffing - Windows Internal Packet Capture type: bool - name: T1040 - 6 description: Windows Internal pktmon capture type: bool - name: T1040 - 7 description: Windows Internal pktmon set filter type: bool - name: T1040 - 16 description: PowerShell Network Sniffing type: bool - name: T1003 - 1 description: OS Credential Dumping - Gsecdump type: bool - name: T1003 - 2 description: OS Credential Dumping - Credential Dumping with NPPSpy type: bool - name: T1003 - 3 description: OS Credential Dumping - Dump svchost.exe to gather RDP credentials type: bool - name: T1110.002 - 1 description: Password Cracking - Password Cracking with Hashcat type: bool - name: T1556.002 - 1 description: Password Filter DLL - Install and Register Password Filter DLL type: bool - name: T1556.002 - 2 description: Install Additional Authentication Packages type: bool - name: T1110.001 - 1 description: Password Guessing - Brute Force Credentials of all Active Directory domain users via SMB type: bool - name: T1110.001 - 2 description: Password Guessing - Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) type: bool - name: T1110.001 - 4 description: Password Brute User using Kerbrute Tool type: bool - name: T1110.001 - 8 description: ESXi - Brute Force Until Account Lockout type: bool - name: T1110.003 - 1 description: Password Spraying - Password Spray all Domain Users type: bool - name: T1110.003 - 2 description: Password Spraying - Password Spray (DomainPasswordSpray) type: bool - name: T1110.003 - 3 description: Password Spraying - Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos) type: bool - name: T1110.003 - 5 description: WinPwn - DomainPasswordSpray Attacks type: bool - name: T1110.003 - 6 description: Password Spray Invoke-DomainPasswordSpray Light type: bool - name: T1110.003 - 8 description: Password Spray using Kerbrute Tool type: bool - name: T1552.004 - 1 description: Private Keys - Private Keys type: bool - name: T1552.004 - 9 description: Private Keys - ADFS token signing and encryption certificates theft - Local type: bool - name: T1552.004 - 10 description: Private Keys - ADFS token signing and encryption certificates theft - Remote type: bool - name: T1552.004 - 11 description: CertUtil ExportPFX type: bool - name: T1552.004 - 12 description: Export Root Certificate with Export-PFXCertificate type: bool - name: T1552.004 - 13 description: Export Root Certificate with Export-Certificate type: bool - name: T1552.004 - 14 description: Export Certificates with Mimikatz type: bool - name: T1003.002 - 1 description: Security Account Manager - Registry dump of SAM, creds, and secrets type: bool - name: T1003.002 - 2 description: Security Account Manager - Registry parse with pypykatz type: bool - name: T1003.002 - 3 description: Security Account Manager - esentutl.exe SAM copy type: bool - name: T1003.002 - 4 description: Security Account Manager - PowerDump Registry dump of SAM for hashes and usernames type: bool - name: T1003.002 - 5 description: Security Account Manager - dump volume shadow copy hives with certutil type: bool - name: T1003.002 - 6 description: Security Account Manager - dump volume shadow copy hives with System.IO.File type: bool - name: T1003.002 - 7 description: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes certutil type: bool - name: T1003.002 - 8 description: Dumping of SAM, creds, and secrets(Reg Export) System.IO.File type: bool - name: T1560 - 1 description: Archive Collected Data - Compress Data for Exfiltration With PowerShell type: bool - name: T1560.001 - 1 description: Archive via Utility - Compress Data for Exfiltration With Rar type: bool - name: T1560.001 - 2 description: Archive via Utility - Compress Data and lock with password for Exfiltration with winrar type: bool - name: T1560.001 - 3 description: Archive via Utility - Compress Data and lock with password for Exfiltration with winzip type: bool - name: T1560.001 - 4 description: Archive via Utility - Compress Data and lock with password for Exfiltration with 7zip type: bool - name: T1560.001 - 10 description: ESXi - Remove Syslog remote IP type: bool - name: T1560.001 - 11 description: Compress a File for Exfiltration using Makecab type: bool - name: T1123 - 1 description: Audio Capture - using device audio capture commandlet type: bool - name: T1123 - 2 description: Registry artefact when application use microphone type: bool - name: T1119 - 1 description: Automated Collection - Automated Collection Command Prompt type: bool - name: T1119 - 2 description: Automated Collection - Automated Collection PowerShell type: bool - name: T1119 - 3 description: Automated Collection - Recon information for export with PowerShell type: bool - name: T1119 - 4 description: Automated Collection - Recon information for export with Command Prompt type: bool - name: T1115 - 1 description: Clipboard Data - Utilize Clipboard to store or execute commands from type: bool - name: T1115 - 2 description: Clipboard Data - Execute Commands from Clipboard using PowerShell type: bool - name: T1115 - 4 description: Clipboard Data - Collect Clipboard Data via VBA type: bool - name: T1074.001 - 1 description: Local Data Staging - Stage data from Discovery.bat type: bool - name: T1074.001 - 3 description: Local Data Staging - Zip a Folder with PowerShell for Staging in Temp type: bool - name: T1114.001 - 1 description: Local Email Collection - Email Collection with PowerShell Get-Inbox type: bool - name: T1113 - 7 description: Windows Screencapture type: bool - name: T1113 - 8 description: Windows Screen Capture (CopyFromScreen) type: bool - name: T1113 - 9 description: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted type: bool - name: T1546.008 - 1 description: Accessibility Features - Attaches Command Prompt as a Debugger to a List of Target Processes type: bool - name: T1546.008 - 2 description: Accessibility Features - Replace binary of sticky keys type: bool - name: T1652 - 1 description: Device Driver Discovery using driverquery type: bool - name: T1546.008 - 3 description: Create Symbolic Link From osk.exe to cmd.exe type: bool - name: T1546.008 - 4 description: Atbroker.exe (AT) Executes Arbitrary Command via Registry Key type: bool - name: T1546.008 - 5 description: Auto-start application on user logon type: bool - name: T1546.008 - 6 description: Replace utilman.exe (Ease of Access Binary) with cmd.exe type: bool - name: T1546.008 - 7 description: Replace Magnify.exe (Magnifier binary) with cmd.exe type: bool - name: T1546.008 - 8 description: Replace Narrator.exe (Narrator binary) with cmd.exe type: bool - name: T1546.010 - 1 description: AppInit DLLs - Install AppInit Shim type: bool - name: T1546.011 - 1 description: Application Shimming - Application Shim Installation type: bool - name: T1546.011 - 2 description: Application Shimming - New shim database files created in the default shim database directory type: bool - name: T1546.011 - 3 description: Application Shimming - Registry key creation and/or modification events for SDB type: bool - name: T1055.004 - 1 description: Asynchronous Procedure Call - Process Injection via C# type: bool - name: T1055.004 - 2 description: EarlyBird APC Queue Injection in Go type: bool - name: T1055.004 - 3 description: Remote Process Injection with Go using NtQueueApcThreadEx WinAPI type: bool - name: T1053.002 - 1 description: At (Windows) - At.exe Scheduled task type: bool - name: T1548.002 - 1 description: Bypass User Account Control - Bypass UAC using Event Viewer (cmd) type: bool - name: T1548.002 - 2 description: Bypass User Account Control - Bypass UAC using Event Viewer (PowerShell) type: bool - name: T1548.002 - 3 description: Bypass User Account Control - Bypass UAC using Fodhelper type: bool - name: T1548.002 - 4 description: Bypass User Account Control - Bypass UAC using Fodhelper - PowerShell type: bool - name: T1548.002 - 5 description: Bypass User Account Control - Bypass UAC using ComputerDefaults (PowerShell) type: bool - name: T1548.002 - 6 description: Bypass User Account Control - Bypass UAC by Mocking Trusted Directories type: bool - name: T1548.002 - 7 description: Bypass User Account Control - Bypass UAC using sdclt DelegateExecute type: bool - name: T1548.002 - 8 description: Bypass User Account Control - Disable UAC using reg.exe type: bool - name: T1548.002 - 9 description: Bypass User Account Control - Bypass UAC using SilentCleanup task type: bool - name: T1548.002 - 10 description: Bypass User Account Control - UACME Bypass Method 23 type: bool - name: T1548.002 - 11 description: Bypass User Account Control - UACME Bypass Method 31 type: bool - name: T1548.002 - 12 description: Bypass User Account Control - UACME Bypass Method 33 type: bool - name: T1548.002 - 13 description: Bypass User Account Control - UACME Bypass Method 34 type: bool - name: T1548.002 - 14 description: Bypass User Account Control - UACME Bypass Method 39 type: bool - name: T1548.002 - 15 description: Bypass User Account Control - UACME Bypass Method 56 type: bool - name: T1548.002 - 16 description: Bypass User Account Control - UACME Bypass Method 59 type: bool - name: T1548.002 - 17 description: Bypass User Account Control - UACME Bypass Method 61 type: bool - name: T1548.002 - 18 description: WinPwn - UAC Magic type: bool - name: T1548.002 - 19 description: WinPwn - UAC Bypass ccmstp technique type: bool - name: T1548.002 - 20 description: WinPwn - UAC Bypass DiskCleanup technique type: bool - name: T1548.002 - 21 description: WinPwn - UAC Bypass DccwBypassUAC technique type: bool - name: T1548.002 - 22 description: Disable UAC admin consent prompt via ConsentPromptBehaviorAdmin registry key type: bool - name: T1548.002 - 23 description: UAC Bypass with WSReset Registry Modification type: bool - name: T1548.002 - 24 description: Disable UAC - Switch to the secure desktop when prompting for elevation via registry key type: bool - name: T1548.002 - 25 description: Disable UAC notification via registry keys type: bool - name: T1548.002 - 26 description: Disable ConsentPromptBehaviorAdmin via registry keys type: bool - name: T1548.002 - 27 description: UAC bypassed by Utilizing ProgIDs registry. type: bool - name: T1574.012 - 1 description: COR_PROFILER - User scope COR_PROFILER type: bool - name: T1574.012 - 2 description: COR_PROFILER - System Scope COR_PROFILER type: bool - name: T1649 - 1 description: Staging Local Certificates via Export-Certificate type: bool - name: T1574.012 - 3 description: COR_PROFILER - Registry-free process scope COR_PROFILER type: bool - name: T1546.001 - 1 description: Change Default File Association - Change Default File Association type: bool - name: T1134.002 - 1 description: Create Process with Token - Access Token Manipulation type: bool - name: T1134.002 - 2 description: WinPwn - Get SYSTEM shell - Pop System Shell using Token Manipulation technique type: bool - name: T1574.001 - 1 description: DLL Search Order Hijacking - amsi.dll type: bool - name: T1574.001 - 2 description: Phantom DLL Hijacking - WinAppXRT.dll type: bool - name: T1574.001 - 3 description: Phantom DLL Hijacking - ualapi.dll type: bool - name: T1574.001 - 4 description: DLL Side-Loading using Notepad++ GUP.exe type: bool - name: T1574.001 - 5 description: DLL Side-Loading using dotnet startup hook type: bool - name: T1574.001 - 6 description: DLL Search Order Hijacking and Side-Loading via KeyScrambler.exe type: bool - name: T1574.002 - 1 description: DLL Side-Loading - DLL Side-Loading using the Notepad++ GUP.exe binary type: bool - name: T1078.001 - 1 description: Default Accounts - Enable Guest account with RDP capability and admin privileges type: bool - name: T1078.001 - 2 description: Default Accounts - Activate Guest Account type: bool - name: T1055.001 - 1 description: Dynamic-link Library Injection - Process Injection via mavinject.exe type: bool - name: T1055.001 - 2 description: WinPwn - Get SYSTEM shell - Bind System Shell using UsoClient DLL load technique mavinject.exe type: bool - name: T1546.012 - 1 description: Image File Execution Options Injection - IFEO Add Debugger type: bool - name: T1546.012 - 2 description: Image File Execution Options Injection - IFEO Global Flags type: bool - name: T1546.012 - 3 description: GlobalFlags in Image File Execution Options type: bool - name: T1078.003 - 1 description: Local Accounts - Create local account with admin privileges type: bool - name: T1078.003 - 6 description: WinPwn - Loot local Credentials - powerhell kittie type: bool - name: T1078.003 - 7 description: WinPwn - Loot local Credentials - Safetykatz type: bool - name: T1078.003 - 13 description: Use PsExec to elevate to NT Authority\SYSTEM account type: bool - name: T1037.001 - 1 description: Logon Script (Windows) - Logon Scripts type: bool - name: T1546.007 - 1 description: Netsh Helper DLL - Netsh Helper DLL Registration type: bool - name: T1134.004 - 1 description: Parent PID Spoofing - Parent PID Spoofing using PowerShell type: bool - name: T1134.004 - 2 description: Parent PID Spoofing - Parent PID Spoofing - Spawn from Current Process type: bool - name: T1134.004 - 3 description: Parent PID Spoofing - Parent PID Spoofing - Spawn from Specified Process type: bool - name: T1134.004 - 4 description: Parent PID Spoofing - Parent PID Spoofing - Spawn from svchost.exe type: bool - name: T1134.004 - 5 description: Parent PID Spoofing - Parent PID Spoofing - Spawn from New Process type: bool - name: T1574.009 - 1 description: Path Interception by Unquoted Path - Execution of program.exe as service with unquoted service path type: bool - name: T1547.010 - 1 description: Port Monitors - Add Port Monitor persistence in Registry type: bool - name: T1546.013 - 1 description: PowerShell Profile - Append malicious start-process cmdlet type: bool - name: T1055.012 - 1 description: Process Hollowing - Process Hollowing using PowerShell type: bool - name: T1055.012 - 2 description: Process Hollowing - RunPE via VBA type: bool - name: T1055.012 - 3 description: Process Hollowing in Go using CreateProcessW WinAPI type: bool - name: T1055.012 - 4 description: Process Hollowing in Go using CreateProcessW and CreatePipe WinAPIs (T1055.012) type: bool - name: T1055 - 1 description: Process Injection - Shellcode execution via VBA type: bool - name: T1055 - 2 description: Process Injection - Remote Process Injection in LSASS via mimikatz type: bool - name: T1547.001 - 1 description: Registry Run Keys / Startup Folder - Reg Key Run type: bool - name: T1547.001 - 2 description: Registry Run Keys / Startup Folder - Reg Key RunOnce type: bool - name: T1547.001 - 3 description: Registry Run Keys / Startup Folder - PowerShell Registry RunOnce type: bool - name: T1547.001 - 4 description: Registry Run Keys / Startup Folder - Suspicious vbs file run from startup Folder type: bool - name: T1547.001 - 5 description: Registry Run Keys / Startup Folder - Suspicious jse file run from startup Folder type: bool - name: T1547.001 - 6 description: Registry Run Keys / Startup Folder - Suspicious bat file run from startup Folder type: bool - name: T1547.001 - 7 description: Registry Run Keys / Startup Folder - Add Executable Shortcut Link to User Startup Folder type: bool - name: T1547.001 - 8 description: Add persistance via Recycle bin type: bool - name: T1547.001 - 9 description: SystemBC Malware-as-a-Service Registry type: bool - name: T1547.001 - 10 description: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value type: bool - name: T1547.001 - 11 description: Change Startup Folder - HKCU Modify User Shell Folders Startup Value type: bool - name: T1547.001 - 12 description: HKCU - Policy Settings Explorer Run Key type: bool - name: T1547.001 - 13 description: HKLM - Policy Settings Explorer Run Key type: bool - name: T1547.001 - 14 description: HKLM - Append Command to Winlogon Userinit KEY Value type: bool - name: T1547.001 - 15 description: HKLM - Modify default System Shell - Winlogon Shell KEY Value type: bool - name: T1547.001 - 16 description: secedit used to create a Run key in the HKLM Hive type: bool - name: T1547.001 - 17 description: Modify BootExecute Value type: bool - name: T1547.001 - 18 description: Allowing custom application to execute during new RDP logon session type: bool - name: T1547.001 - 19 description: Creating Boot Verification Program Key for application execution during successful boot type: bool - name: T1547.001 - 20 description: Add persistence via Windows Context Menu type: bool - name: T1053.005 - 1 description: Scheduled Task - Scheduled Task Startup Script type: bool - name: T1053.005 - 2 description: Scheduled Task - Scheduled task Local type: bool - name: T1053.005 - 3 description: Scheduled Task - Scheduled task Remote type: bool - name: T1053.005 - 4 description: Scheduled Task - Powershell Cmdlet Scheduled Task type: bool - name: T1053.005 - 5 description: Scheduled Task - Task Scheduler via VBA type: bool - name: T1053.005 - 6 description: Scheduled Task - WMI Invoke-CimMethod Scheduled Task type: bool - name: T1053.005 - 7 description: Scheduled Task Executing Base64 Encoded Commands From Registry type: bool - name: T1053.005 - 8 description: Import XML Schedule Task with Hidden Attribute type: bool - name: T1053.005 - 9 description: PowerShell Modify A Scheduled Task type: bool - name: T1053.005 - 10 description: Scheduled Task ("Ghost Task") via Registry Key Manipulation type: bool - name: T1053.005 - 11 description: Scheduled Task Persistence via CompMgmt.msc type: bool - name: T1053.005 - 12 description: Scheduled Task Persistence via Eventviewer.msc type: bool - name: T1546.002 - 1 description: Screensaver - Set Arbitrary Binary as Screensaver type: bool - name: T1547.005 - 1 description: Security Support Provider - Modify SSP configuration in registry type: bool - name: T1547.005 - 2 description: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry type: bool - name: T1574.011 - 1 description: Services Registry Permissions Weakness - Service Registry Permissions Weakness type: bool - name: T1654 - 1 description: Get-EventLog To Enumerate Windows Security Log type: bool - name: T1654 - 2 description: Enumerate Windows Security Log via WevtUtil type: bool - name: T1574.011 - 2 description: Services Registry Permissions Weakness - Service ImagePath Change with reg.exe type: bool - name: T1547.009 - 1 description: Shortcut Modification - Shortcut Modification type: bool - name: T1547.009 - 2 description: Shortcut Modification - Create shortcut to cmd in startup folders type: bool - name: T1134.001 - 1 description: Token Impersonation/Theft - Named pipe client impersonation type: bool - name: T1134.001 - 2 description: Token Impersonation/Theft - `SeDebugPrivilege` token duplication type: bool - name: T1134.001 - 3 description: Launch NSudo Executable type: bool - name: T1134.001 - 4 description: Bad Potato type: bool - name: T1134.001 - 5 description: Juicy Potato type: bool - name: T1546.003 - 1 description: Windows Management Instrumentation Event Subscription - Persistence via WMI Event Subscription type: bool - name: T1546.003 - 2 description: Persistence via WMI Event Subscription - ActiveScriptEventConsumer type: bool - name: T1546.003 - 3 description: Windows MOFComp.exe Load MOF File type: bool - name: T1543.003 - 1 description: Windows Service - Modify Fax service to run PowerShell type: bool - name: T1543.003 - 2 description: Windows Service - Service Installation CMD type: bool - name: T1543.003 - 3 description: Windows Service - Service Installation PowerShell type: bool - name: T1543.003 - 4 description: TinyTurla backdoor service w64time type: bool - name: T1543.003 - 5 description: Remote Service Installation CMD type: bool - name: T1543.003 - 6 description: Modify Service to Run Arbitrary Binary (Powershell) type: bool - name: T1547.004 - 1 description: Winlogon Helper DLL - Winlogon Shell Key Persistence - PowerShell type: bool - name: T1547.004 - 2 description: Winlogon Helper DLL - Winlogon Userinit Key Persistence - PowerShell type: bool - name: T1547.004 - 3 description: Winlogon Helper DLL - Winlogon Notify Key Logon Persistence - PowerShell type: bool - name: T1547.004 - 4 description: Winlogon HKLM Shell Key Persistence - PowerShell type: bool - name: T1547.004 - 5 description: Winlogon HKLM Userinit Key Persistence - PowerShell type: bool - name: T1197 - 1 description: BITS Jobs - Bitsadmin Download (cmd) type: bool - name: T1197 - 2 description: BITS Jobs - Bitsadmin Download (PowerShell) type: bool - name: T1197 - 3 description: BITS Jobs - Persist, Download, & Execute type: bool - name: T1197 - 4 description: BITS Jobs - Bits download using desktopimgdownldr.exe (cmd) type: bool - name: T1218.003 - 1 description: CMSTP - CMSTP Executing Remote Scriptlet type: bool - name: T1218.003 - 2 description: CMSTP - CMSTP Executing UAC Bypass type: bool - name: T1070.003 - 10 description: Clear Command History - Prevent Powershell History Logging type: bool - name: T1070.003 - 11 description: Clear Command History - Clear Powershell History by Deleting History File type: bool - name: T1070.001 - 1 description: Clear Windows Event Logs - Clear Logs type: bool - name: T1070.001 - 2 description: Clear Windows Event Logs - Delete System Logs Using Clear-EventLog type: bool - name: T1070.001 - 3 description: Clear Windows Event Logs - Clear Event Logs via VBA type: bool - name: T1027.004 - 1 description: Compile After Delivery - Compile After Delivery using csc.exe type: bool - name: T1027.004 - 2 description: Compile After Delivery - Dynamic C# Compile type: bool - name: T1218.001 - 1 description: Compiled HTML File - Compiled HTML Help Local Payload type: bool - name: T1218.001 - 2 description: Compiled HTML File - Compiled HTML Help Remote Payload type: bool - name: T1218.001 - 3 description: Compiled HTML File - Invoke CHM with default Shortcut Command Execution type: bool - name: T1218.001 - 4 description: Compiled HTML File - Invoke CHM with InfoTech Storage Protocol Handler type: bool - name: T1218.001 - 5 description: Compiled HTML File - Invoke CHM Simulate Double click type: bool - name: T1218.001 - 6 description: Compiled HTML File - Invoke CHM with Script Engine and Help Topic type: bool - name: T1218.001 - 7 description: Compiled HTML File - Invoke CHM Shortcut Command with ITS and Help Topic type: bool - name: T1218.002 - 1 description: Control Panel - Control Panel Items type: bool - name: T1140 - 1 description: Deobfuscate/Decode Files or Information - Deobfuscate/Decode Files Or Information type: bool - name: T1140 - 2 description: Deobfuscate/Decode Files or Information - Certutil Rename and Decode type: bool - name: T1006 - 1 description: Direct Volume Access - Read volume boot sector via DOS device path (PowerShell) type: bool - name: T1562.002 - 1 description: Disable Windows Event Logging - Disable Windows IIS HTTP Logging type: bool - name: T1562.002 - 2 description: Disable Windows Event Logging - Disable Windows IIS HTTP Logging via PowerShell type: bool - name: T1562.002 - 3 description: Disable Windows Event Logging - Kill Event Log Service Threads type: bool - name: T1562.002 - 4 description: Disable Windows Event Logging - Impair Windows Audit Log Policy type: bool - name: T1562.002 - 5 description: Disable Windows Event Logging - Clear Windows Audit Policy Config type: bool - name: T1562.002 - 6 description: Disable Windows Event Logging - Disable Event Logging with wevtutil type: bool - name: T1562.002 - 7 description: Disable Windows Event Logging - Makes Eventlog blind with Phant0m type: bool - name: T1562.002 - 8 description: Disable Windows Event Logging - Modify Event Log Channel Access Permissions via Registry - PowerShell type: bool - name: T1562.002 - 9 description: Disable Windows Event Logging - Modify Event Log Channel Access Permissions via Registry 2 - PowerShell type: bool - name: T1562.002 - 10 description: Disable Windows Event Logging - Modify Event Log Access Permissions via Registry - PowerShell type: bool - name: T1562.004 - 1 description: Disable or Modify System Firewall - Disable Microsoft Defender Firewall type: bool - name: T1562.004 - 2 description: Disable or Modify System Firewall - Disable Microsoft Defender Firewall via Registry type: bool - name: T1562.004 - 3 description: Disable or Modify System Firewall - Allow SMB and RDP on Microsoft Defender Firewall type: bool - name: T1562.004 - 4 description: Disable or Modify System Firewall - Opening ports for proxy - HARDRAIN type: bool - name: T1562.004 - 5 description: Disable or Modify System Firewall - Open a local port through Windows Firewall to any profile type: bool - name: T1562.004 - 6 description: Disable or Modify System Firewall - Allow Executable Through Firewall Located in Non-Standard Location type: bool - name: T1562.004 - 20 description: LockBit Black - Unusual Windows firewall registry modification (cmd) type: bool - name: T1562.004 - 21 description: LockBit Black - Unusual Windows firewall registry modification (PowerShell) type: bool - name: T1562.004 - 22 description: Blackbit - Disable Windows Firewall using netsh firewall type: bool - name: T1562.004 - 24 description: Set a firewall rule using New-NetFirewallRule type: bool - name: T1562.001 - 11 description: Unload Sysmon Filter Driver type: bool - name: T1562.001 - 12 description: Uninstall Sysmon type: bool - name: T1562.001 - 13 description: AMSI Bypass - AMSI InitFailed type: bool - name: T1562.001 - 14 description: AMSI Bypass - Remove AMSI Provider Reg Key type: bool - name: T1562.001 - 15 description: Disable Arbitrary Security Windows Service type: bool - name: T1562.001 - 16 description: Tamper with Windows Defender ATP PowerShell type: bool - name: T1562.001 - 17 description: Tamper with Windows Defender Command Prompt type: bool - name: T1562.001 - 18 description: Tamper with Windows Defender Registry type: bool - name: T1562.001 - 19 description: Disable Microsoft Office Security Features type: bool - name: T1562.001 - 20 description: Remove Windows Defender Definition Files type: bool - name: T1562.001 - 21 description: Stop and Remove Arbitrary Security Windows Service type: bool - name: T1562.001 - 22 description: Uninstall Crowdstrike Falcon on Windows type: bool - name: T1562.001 - 23 description: Tamper with Windows Defender Evade Scanning -Folder type: bool - name: T1562.001 - 24 description: Tamper with Windows Defender Evade Scanning -Extension type: bool - name: T1562.001 - 25 description: Tamper with Windows Defender Evade Scanning -Process type: bool - name: T1562.001 - 27 description: Disable Windows Defender with DISM type: bool - name: T1562.001 - 28 description: Disable Defender Using NirSoft AdvancedRun type: bool - name: T1562.001 - 29 description: Kill antimalware protected processes using Backstab type: bool - name: T1562.001 - 30 description: WinPwn - Kill the event log services for stealth type: bool - name: T1562.001 - 31 description: Tamper with Windows Defender ATP using Aliases - PowerShell type: bool - name: T1562.001 - 32 description: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd type: bool - name: T1562.001 - 33 description: LockBit Black - Use Registry Editor to turn on automatic logon -cmd type: bool - name: T1562.001 - 34 description: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell type: bool - name: T1562.001 - 35 description: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell type: bool - name: T1562.001 - 36 description: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature type: bool - name: T1562.001 - 38 description: Delete Windows Defender Scheduled Tasks type: bool - name: T1562.001 - 44 description: Disable Hypervisor-Enforced Code Integrity (HVCI) type: bool - name: T1562.001 - 45 description: AMSI Bypass - Override AMSI via COM type: bool - name: T1562.001 - 48 description: Tamper with Windows Defender Registry - Reg.exe type: bool - name: T1562.001 - 49 description: Tamper with Windows Defender Registry - Powershell type: bool - name: T1562.001 - 50 description: ESXi - Disable Account Lockout Policy via PowerCLI type: bool - name: T1562.001 - 51 description: Delete Microsoft Defender ASR Rules - InTune type: bool - name: T1562.001 - 52 description: Delete Microsoft Defender ASR Rules - GPO type: bool - name: T1562.001 - 53 description: AMSI Bypass - Create AMSIEnable Reg Key type: bool - name: T1562.001 - 54 description: Disable EventLog-Application Auto Logger Session Via Registry - Cmd type: bool - name: T1562.001 - 55 description: Disable EventLog-Application Auto Logger Session Via Registry - PowerShell type: bool - name: T1562.001 - 56 description: Disable EventLog-Application ETW Provider Via Registry - Cmd type: bool - name: T1562.001 - 57 description: Disable EventLog-Application ETW Provider Via Registry - PowerShell type: bool - name: T1070.004 - 4 description: File Deletion - Delete a single file - Windows cmd type: bool - name: T1070.004 - 5 description: File Deletion - Delete an entire folder - Windows cmd type: bool - name: T1070.004 - 6 description: File Deletion - Delete a single file - Windows PowerShell type: bool - name: T1070.004 - 7 description: File Deletion - Delete an entire folder - Windows PowerShell type: bool - name: T1070.004 - 9 description: File Deletion - Delete Prefetch File type: bool - name: T1070.004 - 10 description: File Deletion - Delete TeamViewer Log Files type: bool - name: T1564.001 - 3 description: Create Windows System File with Attrib type: bool - name: T1564.001 - 4 description: Create Windows Hidden File with Attrib type: bool - name: T1564.001 - 8 description: Hide Files Through Registry type: bool - name: T1564.001 - 9 description: Create Windows Hidden File with PowerShell type: bool - name: T1564.001 - 10 description: Create Windows System File with PowerShell type: bool - name: T1564.003 - 1 description: Hidden PowerShell Window launching calc.exe type: bool - name: T1564.003 - 2 description: Headless Browser Accessing Mockbin type: bool - name: T1564.003 - 3 description: Hidden Window-Conhost Execution type: bool - name: T1564 - 1 description: Extract binary files via VBA (requires MS Word) type: bool - name: T1564 - 2 description: Create a hidden user called "$" type: bool - name: T1564 - 3 description: Create an "Administrator " user (with space at end) type: bool - name: T1564 - 4 description: Create and hide a service using sc.exe and sdset type: bool - name: T1564 - 5 description: Execute command via NirCmd (e.g. hide tray clock) type: bool - name: T1070 - 1 description: Indicator Removal on Host - Indicator Removal using FSUtil type: bool - name: T1202 - 1 description: Indirect Command Execution - Indirect Command Execution - pcalua.exe type: bool - name: T1202 - 2 description: Indirect Command Execution - Indirect Command Execution - forfiles.exe type: bool - name: T1202 - 3 description: Indirect Command Execution - Indirect Command Execution - conhost.exe type: bool - name: T1202 - 4 description: Indirect Command Execution - Scriptrunner.exe type: bool - name: T1202 - 5 description: Indirect Command Execution - RunMRU Dialog type: bool - name: T1553.004 - 5 description: Install Root Certificate - Install root CA on Windows type: bool - name: T1553.004 - 6 description: Install Root Certificate - Install root CA on Windows with certutil type: bool - name: T1553.004 - 7 description: Add Root Certificate to CurrentUser Certificate Store type: bool - name: T1218.004 - 1 description: InstallUtil - CheckIfInstallable method call type: bool - name: T1218.004 - 2 description: InstallUtil - InstallHelper method call type: bool - name: T1218.004 - 3 description: InstallUtil - InstallUtil class constructor method call type: bool - name: T1218.004 - 4 description: InstallUtil - InstallUtil Install method call type: bool - name: T1218.004 - 5 description: InstallUtil - InstallUtil Uninstall method call - /U variant type: bool - name: T1218.004 - 6 description: InstallUtil - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant type: bool - name: T1218.004 - 7 description: InstallUtil - InstallUtil HelpText method call type: bool - name: T1218.004 - 8 description: InstallUtil - InstallUtil evasive invocation type: bool - name: T1127.001 - 1 description: MSBuild - MSBuild Bypass Using Inline Tasks (C#) type: bool - name: T1127.001 - 2 description: MSBuild - MSBuild Bypass Using Inline Tasks (VB) type: bool - name: T1553.005 - 1 description: Mark-of-the-Web Bypass - Mount ISO image type: bool - name: T1553.005 - 2 description: Mark-of-the-Web Bypass - Mount an ISO image and run executable from the ISO type: bool - name: T1553.005 - 3 description: Mark-of-the-Web Bypass - Remove the Zone.Identifier alternate data stream type: bool - name: T1553.005 - 4 description: Execute LNK file from ISO type: bool - name: T1036.004 - 1 description: Masquerade Task or Service - Creating W32Time similar named service using schtasks type: bool - name: T1036.004 - 2 description: Masquerade Task or Service - Creating W32Time similar named service using sc type: bool - name: T1036 - 1 description: Masquerading - System File Copied to Unusual Location type: bool - name: T1112 - 1 description: Modify Registry - Modify Registry of Current User Profile - cmd type: bool - name: T1112 - 2 description: Modify Registry - Modify Registry of Local Machine - cmd type: bool - name: T1112 - 3 description: Modify Registry - Modify registry to store logon credentials type: bool - name: T1112 - 4 description: Modify Registry - Add domain to Trusted sites Zone type: bool - name: T1112 - 5 description: Modify Registry - Javascript in registry type: bool - name: T1112 - 6 description: Modify Registry - Change Powershell Execution Policy to Bypass type: bool - name: T1112 - 7 description: Change Powershell Execution Policy to Bypass type: bool - name: T1112 - 8 description: BlackByte Ransomware Registry Changes - CMD type: bool - name: T1112 - 9 description: BlackByte Ransomware Registry Changes - Powershell type: bool - name: T1112 - 10 description: Disable Windows Registry Tool type: bool - name: T1112 - 11 description: Disable Windows CMD application type: bool - name: T1112 - 12 description: Disable Windows Task Manager application type: bool - name: T1112 - 13 description: Disable Windows Notification Center type: bool - name: T1112 - 14 description: Disable Windows Shutdown Button type: bool - name: T1112 - 15 description: Disable Windows LogOff Button type: bool - name: T1112 - 16 description: Disable Windows Change Password Feature type: bool - name: T1112 - 17 description: Disable Windows Lock Workstation Feature type: bool - name: T1112 - 18 description: Activate Windows NoDesktop Group Policy Feature type: bool - name: T1112 - 19 description: Activate Windows NoRun Group Policy Feature type: bool - name: T1112 - 20 description: Activate Windows NoFind Group Policy Feature type: bool - name: T1112 - 21 description: Activate Windows NoControlPanel Group Policy Feature type: bool - name: T1112 - 22 description: Activate Windows NoFileMenu Group Policy Feature type: bool - name: T1112 - 23 description: Activate Windows NoClose Group Policy Feature type: bool - name: T1112 - 24 description: Activate Windows NoSetTaskbar Group Policy Feature type: bool - name: T1112 - 25 description: Activate Windows NoTrayContextMenu Group Policy Feature type: bool - name: T1112 - 26 description: Activate Windows NoPropertiesMyDocuments Group Policy Feature type: bool - name: T1112 - 27 description: Hide Windows Clock Group Policy Feature type: bool - name: T1112 - 28 description: Windows HideSCAHealth Group Policy Feature type: bool - name: T1112 - 29 description: Windows HideSCANetwork Group Policy Feature type: bool - name: T1112 - 30 description: Windows HideSCAPower Group Policy Feature type: bool - name: T1112 - 31 description: Windows HideSCAVolume Group Policy Feature type: bool - name: T1112 - 32 description: Windows Modify Show Compress Color And Info Tip Registry type: bool - name: T1112 - 33 description: Windows Powershell Logging Disabled type: bool - name: T1112 - 34 description: Windows Add Registry Value to Load Service in Safe Mode without Network type: bool - name: T1112 - 35 description: Windows Add Registry Value to Load Service in Safe Mode with Network type: bool - name: T1112 - 36 description: Disable Windows Toast Notifications type: bool - name: T1112 - 37 description: Disable Windows Security Center Notifications type: bool - name: T1112 - 38 description: Suppress Win Defender Notifications type: bool - name: T1112 - 39 description: Allow RDP Remote Assistance Feature type: bool - name: T1112 - 40 description: NetWire RAT Registry Key Creation type: bool - name: T1112 - 41 description: Ursnif Malware Registry Key Creation type: bool - name: T1112 - 42 description: Terminal Server Client Connection History Cleared type: bool - name: T1112 - 43 description: Disable Windows Error Reporting Settings type: bool - name: T1112 - 44 description: DisallowRun Execution Of Certain Applications type: bool - name: T1112 - 45 description: Enabling Restricted Admin Mode via Command_Prompt type: bool - name: T1112 - 46 description: Mimic Ransomware - Enable Multiple User Sessions type: bool - name: T1112 - 47 description: Mimic Ransomware - Allow Multiple RDP Sessions per User type: bool - name: T1112 - 48 description: Event Viewer Registry Modification - Redirection URL type: bool - name: T1112 - 49 description: Event Viewer Registry Modification - Redirection Program type: bool - name: T1112 - 50 description: Enabling Remote Desktop Protocol via Remote Registry type: bool - name: T1112 - 51 description: Disable Win Defender Notification type: bool - name: T1112 - 52 description: Disable Windows OS Auto Update type: bool - name: T1112 - 53 description: Disable Windows Auto Reboot for current logon user type: bool - name: T1112 - 54 description: Windows Auto Update Option to Notify before download type: bool - name: T1112 - 55 description: Do Not Connect To Win Update type: bool - name: T1112 - 56 description: Tamper Win Defender Protection type: bool - name: T1112 - 57 description: Snake Malware Registry Blob type: bool - name: T1112 - 58 description: Allow Simultaneous Download Registry type: bool - name: T1112 - 59 description: Modify Internet Zone Protocol Defaults in Current User Registry - cmd type: bool - name: T1112 - 60 description: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell type: bool - name: T1112 - 61 description: Activities To Disable Secondary Authentication Detected By Modified Registry Value. type: bool - name: T1112 - 62 description: Activities To Disable Microsoft [FIDO Aka Fast IDentity Online] Authentication Detected By Modified Registry Value. type: bool - name: T1112 - 63 description: Scarab Ransomware Defense Evasion Activities type: bool - name: T1112 - 64 description: Disable Remote Desktop Anti-Alias Setting Through Registry type: bool - name: T1112 - 65 description: Disable Remote Desktop Security Settings Through Registry type: bool - name: T1112 - 66 description: Disabling ShowUI Settings of Windows Error Reporting (WER) type: bool - name: T1112 - 67 description: Enable Proxy Settings type: bool - name: T1112 - 68 description: Set-Up Proxy Server type: bool - name: T1112 - 69 description: RDP Authentication Level Override type: bool - name: T1112 - 70 description: Enable RDP via Registry (fDenyTSConnections) type: bool - name: T1112 - 71 description: Disable Windows Prefetch Through Registry type: bool - name: T1112 - 72 description: Setting Shadow key in Registry for RDP Shadowing type: bool - name: T1112 - 73 description: Flush Shimcache type: bool - name: T1112 - 74 description: Disable Windows Remote Desktop Protocol type: bool - name: T1112 - 75 description: Enforce Smart Card Authentication Through Registry type: bool - name: T1112 - 76 description: Requires the BitLocker PIN for Pre-boot authentication type: bool - name: T1112 - 77 description: Modify EnableBDEWithNoTPM Registry entry type: bool - name: T1112 - 78 description: Modify UseTPM Registry entry type: bool - name: T1112 - 79 description: Modify UseTPMPIN Registry entry type: bool - name: T1112 - 80 description: Modify UseTPMKey Registry entry type: bool - name: T1112 - 81 description: Modify UseTPMKeyPIN Registry entry type: bool - name: T1112 - 82 description: Modify EnableNonTPM Registry entry type: bool - name: T1112 - 83 description: Modify UsePartialEncryptionKey Registry entry type: bool - name: T1112 - 84 description: Modify UsePIN Registry entry type: bool - name: T1112 - 85 description: Abusing Windows TelemetryController Registry Key for Persistence type: bool - name: T1112 - 86 description: Modify RDP-Tcp Initial Program Registry Entry type: bool - name: T1112 - 87 description: Abusing MyComputer Disk Cleanup Path for Persistence type: bool - name: T1112 - 88 description: Abusing MyComputer Disk Fragmentation Path for Persistence type: bool - name: T1112 - 89 description: Abusing MyComputer Disk Backup Path for Persistence type: bool - name: T1112 - 90 description: Adding custom paths for application execution type: bool - name: T1218.005 - 1 description: Mshta - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject type: bool - name: T1218.005 - 2 description: Mshta - Mshta executes VBScript to execute malicious command type: bool - name: T1218.005 - 3 description: Mshta - Mshta Executes Remote HTML Application (HTA) type: bool - name: T1218.005 - 4 description: Mshta - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement type: bool - name: T1218.005 - 5 description: Mshta - Invoke HTML Application - Jscript Engine Simulating Double Click type: bool - name: T1218.005 - 6 description: Mshta - Invoke HTML Application - Direct download from URI type: bool - name: T1218.005 - 7 description: Mshta - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler type: bool - name: T1218.005 - 8 description: Mshta - Invoke HTML Application - JScript Engine with Inline Protocol Handler type: bool - name: T1218.005 - 9 description: Mshta - Invoke HTML Application - Simulate Lateral Movement over UNC Path type: bool - name: T1218.005 - 10 description: Mshta - Mshta used to Execute PowerShell type: bool - name: T1218.007 - 1 description: Msiexec.exe - Execute Local MSI file with embedded JScript type: bool - name: T1218.007 - 2 description: Msiexec.exe - Execute Local MSI file with embedded VBScript type: bool - name: T1218.007 - 3 description: Msiexec.exe - Execute Local MSI file with an embedded DLL type: bool - name: T1218.007 - 4 description: Msiexec.exe - Execute Local MSI file with an embedded EXE type: bool - name: T1218.007 - 5 description: WMI Win32_Product Class - Execute Local MSI file with embedded JScript type: bool - name: T1218.007 - 6 description: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript type: bool - name: T1218.007 - 7 description: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL type: bool - name: T1218.007 - 8 description: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE type: bool - name: T1218.007 - 9 description: Msiexec.exe - Execute the DllRegisterServer function of a DLL type: bool - name: T1218.007 - 10 description: Msiexec.exe - Execute the DllUnregisterServer function of a DLL type: bool - name: T1218.007 - 11 description: Msiexec.exe - Execute Remote MSI file type: bool - name: T1564.004 - 1 description: NTFS File Attributes - Alternate Data Streams (ADS) type: bool - name: T1564.004 - 2 description: NTFS File Attributes - Store file in Alternate Data Stream (ADS) type: bool - name: T1564.004 - 3 description: NTFS File Attributes - Create ADS command prompt type: bool - name: T1564.004 - 4 description: NTFS File Attributes - Create ADS PowerShell type: bool - name: T1564.004 - 5 description: Create Hidden Directory via $index_allocation type: bool - name: T1070.005 - 1 description: Network Share Connection Removal - Add Network Share type: bool - name: T1070.005 - 2 description: Network Share Connection Removal - Remove Network Share type: bool - name: T1070.005 - 3 description: Network Share Connection Removal - Remove Network Share PowerShell type: bool - name: T1070.005 - 4 description: Disable Administrative Share Creation at Startup PowerShell type: bool - name: T1070.005 - 5 description: Remove Administrative Shares PowerShell type: bool - name: T1027 - 2 description: Obfuscated Files or Information - Execute base64-encoded PowerShell type: bool - name: T1027 - 3 description: Obfuscated Files or Information - Execute base64-encoded PowerShell from Windows Registry type: bool - name: T1027 - 4 description: Obfuscated Files or Information - Execution from Compressed File type: bool - name: T1027 - 5 description: Obfuscated Files or Information - DLP Evasion via Sensitive Data in VBA Macro over email type: bool - name: T1027 - 6 description: Obfuscated Files or Information - DLP Evasion via Sensitive Data in VBA Macro over HTTP type: bool - name: T1027 - 7 description: Obfuscated Files or Information - Obfuscated Command in PowerShell type: bool - name: T1027 - 8 description: Obfuscated Files or Information - Obfuscated Command Line using special Unicode characters type: bool - name: T1218.008 - 1 description: Odbcconf - Odbcconf.exe - Execute Arbitrary DLL type: bool - name: T1218.008 - 2 description: Odbcconf.exe - Load Response File type: bool - name: T1550.002 - 1 description: Pass the Hash - Mimikatz Pass the Hash type: bool - name: T1550.002 - 2 description: Pass the Hash - crackmapexec Pass the Hash type: bool - name: T1550.002 - 3 description: Invoke-WMIExec Pass the Hash type: bool - name: T1550.003 - 1 description: Pass the Ticket - Mimikatz Kerberos Ticket Attack type: bool - name: T1550.003 - 2 description: Rubeus Kerberos Pass The Ticket type: bool - name: T1216.001 - 1 description: PubPrn - PubPrn.vbs Signed Script Bypass type: bool - name: T1218.009 - 1 description: Regsvcs/Regasm - Regasm Uninstall Method Call Test type: bool - name: T1218.009 - 2 description: Regsvcs/Regasm - Regsvcs Uninstall Method Call Test type: bool - name: T1218.010 - 1 description: Regsvr32 - Regsvr32 local COM scriptlet execution type: bool - name: T1218.010 - 2 description: Regsvr32 - Regsvr32 remote COM scriptlet execution type: bool - name: T1218.010 - 3 description: Regsvr32 - Regsvr32 local DLL execution type: bool - name: T1218.010 - 4 description: Regsvr32 - Regsvr32 Registering Non DLL type: bool - name: T1218.010 - 5 description: Regsvr32 - Regsvr32 Silent DLL Install Call DllRegisterServer type: bool - name: T1036.003 - 1 description: Rename System Utilities - Masquerading as Windows LSASS process type: bool - name: T1036.003 - 3 description: Rename System Utilities - Masquerading - cscript.exe running as notepad.exe type: bool - name: T1036.003 - 4 description: Rename System Utilities - Masquerading - wscript.exe running as svchost.exe type: bool - name: T1036.003 - 5 description: Rename System Utilities - Masquerading - powershell.exe running as taskhostw.exe type: bool - name: T1036.003 - 6 description: Rename System Utilities - Masquerading - non-windows exe running as windows exe type: bool - name: T1036.003 - 7 description: Rename System Utilities - Masquerading - windows exe running as different windows exe type: bool - name: T1036.003 - 8 description: Rename System Utilities - Malicious process Masquerading as LSM.exe type: bool - name: T1036.003 - 9 description: Rename System Utilities - File Extension Masquerading type: bool - name: T1207 - 1 description: Rogue Domain Controller - DCShadow (Active Directory) type: bool - name: T1014 - 3 description: Rootkit - Windows Signed Driver Rootkit Test type: bool - name: T1218.011 - 1 description: Rundll32 - Rundll32 execute JavaScript Remote Payload With GetObject type: bool - name: T1218.011 - 2 description: Rundll32 - Rundll32 execute VBscript command type: bool - name: T1218.011 - 3 description: Rundll32 - Rundll32 advpack.dll Execution type: bool - name: T1218.011 - 4 description: Rundll32 - Rundll32 ieadvpack.dll Execution type: bool - name: T1218.011 - 5 description: Rundll32 - Rundll32 syssetup.dll Execution type: bool - name: T1218.011 - 6 description: Rundll32 - Rundll32 setupapi.dll Execution type: bool - name: T1218.011 - 7 description: Rundll32 - Execution of HTA and VBS Files using Rundll32 and URL.dll type: bool - name: T1218.011 - 8 description: Rundll32 - Launches an executable using Rundll32 and pcwutl.dll type: bool - name: T1218.011 - 10 description: Execution of non-dll using rundll32.exe type: bool - name: T1218.011 - 11 description: Rundll32 with Ordinal Value type: bool - name: T1218.011 - 12 description: Rundll32 with Control_RunDLL type: bool - name: T1218.011 - 13 description: Rundll32 with desk.cpl type: bool - name: T1218.011 - 14 description: Running DLL with .init extension and function type: bool - name: T1218.011 - 15 description: Rundll32 execute command via FileProtocolHandler type: bool - name: T1218.011 - 16 description: Rundll32 execute payload by calling RouteTheCall type: bool - name: T1218 - 1 description: Signed Binary Proxy Execution - mavinject - Inject DLL into running process type: bool - name: T1218 - 2 description: Signed Binary Proxy Execution - SyncAppvPublishingServer - Execute arbitrary PowerShell code type: bool - name: T1218 - 3 description: Signed Binary Proxy Execution - Register-CimProvider - Execute evil dll type: bool - name: T1218 - 4 description: Signed Binary Proxy Execution - InfDefaultInstall.exe .inf Execution type: bool - name: T1218 - 5 description: Signed Binary Proxy Execution - ProtocolHandler.exe Downloaded a Suspicious File type: bool - name: T1218 - 6 description: Signed Binary Proxy Execution - Microsoft.Workflow.Compiler.exe Payload Execution type: bool - name: T1218 - 7 description: Signed Binary Proxy Execution - Renamed Microsoft.Workflow.Compiler.exe Payload Executions type: bool - name: T1218 - 8 description: Signed Binary Proxy Execution - Invoke-ATHRemoteFXvGPUDisablementCommand base test type: bool - name: T1216 - 1 description: Signed Script Proxy Execution - SyncAppvPublishingServer Signed Script PowerShell Command Execution type: bool - name: T1216 - 2 description: Signed Script Proxy Execution - manage-bde.wsf Signed Script Command Execution type: bool - name: T1497.001 - 3 description: System Checks - Detect Virtualization Environment (Windows) type: bool - name: T1497.001 - 5 description: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) type: bool - name: T1221 - 1 description: Template Injection - WINWORD Remote Template Injection type: bool - name: T1070.006 - 5 description: Timestomp - Windows - Modify file creation timestamp with PowerShell type: bool - name: T1070.006 - 6 description: Timestomp - Windows - Modify file last modified timestamp with PowerShell type: bool - name: T1070.006 - 7 description: Timestomp - Windows - Modify file last access timestamp with PowerShell type: bool - name: T1070.006 - 8 description: Timestomp - Windows - Timestomp a File type: bool - name: T1222.001 - 1 description: Windows File and Directory Permissions Modification - Take ownership using takeown utility type: bool - name: T1222.001 - 2 description: Windows File and Directory Permissions Modification - cacls - Grant permission to specified user or group recursively type: bool - name: T1222.001 - 3 description: Windows File and Directory Permissions Modification - attrib - Remove read-only attribute type: bool - name: T1222.001 - 4 description: Windows File and Directory Permissions Modification - attrib - hide file type: bool - name: T1222.001 - 5 description: Windows File and Directory Permissions Modification - Grant Full Access to folder for Everyone - Ryuk Ransomware Style type: bool - name: T1222.001 - 6 description: SubInAcl Execution type: bool - name: T1220 - 1 description: XSL Script Processing - MSXSL Bypass using local files type: bool - name: T1220 - 2 description: XSL Script Processing - MSXSL Bypass using remote files type: bool - name: T1220 - 3 description: XSL Script Processing - WMIC bypass using local XSL file type: bool - name: T1220 - 4 description: XSL Script Processing - WMIC bypass using remote XSL file type: bool - name: T1098 - 1 description: Account Manipulation - Admin Account Manipulate type: bool - name: T1098 - 2 description: Account Manipulation - Domain Account and Group Manipulate type: bool - name: T1098 - 9 description: Password Change on Directory Service Restore Mode (DSRM) Account type: bool - name: T1098 - 10 description: Domain Password Policy Check Short Password type: bool - name: T1098 - 11 description: Domain Password Policy Check No Number in Password type: bool - name: T1098 - 12 description: Domain Password Policy Check No Special Character in Password type: bool - name: T1098 - 13 description: Domain Password Policy Check No Uppercase Character in Password type: bool - name: T1098 - 14 description: Domain Password Policy Check No Lowercase Character in Password type: bool - name: T1098 - 15 description: Domain Password Policy Check Only Two Character Classes type: bool - name: T1098 - 16 description: Domain Password Policy Check Common Password Use type: bool - name: T1137.006 - 1 description: Add-ins - Code Executed Via Excel Add-in File (Xll) type: bool - name: T1137.006 - 2 description: Persistent Code Execution Via Excel Add-in File (XLL) type: bool - name: T1137.006 - 3 description: Persistent Code Execution Via Word Add-in File (WLL) type: bool - name: T1137.006 - 4 description: Persistent Code Execution Via Excel VBA Add-in File (XLAM) type: bool - name: T1137.006 - 5 description: Persistent Code Execution Via PowerPoint VBA Add-in File (PPAM) type: bool - name: T1176 - 1 description: Browser Extensions - Chrome (Developer Mode) type: bool - name: T1176 - 2 description: Browser Extensions - Chrome (Chrome Web Store) type: bool - name: T1176 - 3 description: Browser Extensions - Firefox type: bool - name: T1176 - 4 description: Browser Extensions - Edge Chromium Addon - VPN type: bool - name: T1176 - 5 description: Google Chrome Load Unpacked Extension With Command Line type: bool - name: T1136.002 - 1 description: Domain Account - Create a new Windows domain admin user type: bool - name: T1136.002 - 2 description: Domain Account - Create a new account similar to ANONYMOUS LOGON type: bool - name: T1136.002 - 3 description: Domain Account - Create a new Domain Account using PowerShell type: bool - name: T1133 - 1 description: External Remote Services - Running Chrome VPN Extensions via the Registry 2 vpn extension type: bool - name: T1136.001 - 4 description: Local Account - Create a new user in a command prompt type: bool - name: T1136.001 - 5 description: Local Account - Create a new user in PowerShell type: bool - name: T1136.001 - 8 description: Local Account - Create a new Windows admin user type: bool - name: T1136.001 - 9 description: Create a new Windows admin user via .NET type: bool - name: T1137 - 1 description: Office Application Startup - Office Application Startup - Outlook as a C2 type: bool - name: T1137.002 - 1 description: Office Test - Office Application Startup Test Persistence type: bool - name: T1137.004 - 1 description: Outlook Home Page - Install Outlook Home Page Persistence type: bool - name: T1505.002 - 1 description: Transport Agent - Install MS Exchange Transport Agent Persistence type: bool - name: T1505.003 - 1 description: Web Shell - Web Shell Written to Disk type: bool - name: T1531 - 1 description: Account Access Removal - Change User Password - Windows type: bool - name: T1531 - 2 description: Account Access Removal - Delete User - Windows type: bool - name: T1531 - 3 description: Account Access Removal - Remove Account From Domain Admin Group type: bool - name: T1485 - 1 description: Data Destruction - Windows - Overwrite file with Sysinternals SDelete type: bool - name: T1485 - 3 description: Overwrite deleted data on C drive type: bool - name: T1485 - 5 description: ESXi - Delete VM Snapshots SDelete type: bool - name: T1486 - 5 description: Data Encrypted for Impact - PureLocker Ransom Note type: bool - name: T1486 - 8 description: Data Encrypted with GPG4Win type: bool - name: T1486 - 9 description: Data Encrypt Using DiskCryptor type: bool - name: T1486 - 10 description: Akira Ransomware drop Files with .akira Extension and Ransomnote type: bool - name: T1490 - 1 description: Inhibit System Recovery - Windows - Delete Volume Shadow Copies type: bool - name: T1490 - 2 description: Inhibit System Recovery - Windows - Delete Volume Shadow Copies via WMI type: bool - name: T1490 - 3 description: Inhibit System Recovery - Windows - wbadmin Delete Windows Backup Catalog type: bool - name: T1490 - 4 description: Inhibit System Recovery - Windows - Disable Windows Recovery Console Repair type: bool - name: T1490 - 5 description: Inhibit System Recovery - Windows - Delete Volume Shadow Copies via WMI with PowerShell type: bool - name: T1490 - 6 description: Inhibit System Recovery - Windows - Delete Backup Files type: bool - name: T1490 - 7 description: Inhibit System Recovery - Windows - wbadmin Delete systemstatebackup type: bool - name: T1490 - 8 description: Inhibit System Recovery - Windows - Disable the SR scheduled task type: bool - name: T1490 - 9 description: Disable System Restore Through Registry type: bool - name: T1490 - 10 description: Windows - vssadmin Resize Shadowstorage Volume type: bool - name: T1490 - 11 description: Modify VSS Service Permissions type: bool - name: T1491.001 - 1 description: Internal Defacement - Replace Desktop Wallpaper type: bool - name: T1491.001 - 2 description: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message type: bool - name: T1491.001 - 3 description: ESXi - Change Welcome Message on Direct Console User Interface (DCUI) type: bool - name: T1489 - 1 description: Service Stop - Windows - Stop service using Service Controller type: bool - name: T1489 - 2 description: Service Stop - Windows - Stop service using net.exe type: bool - name: T1489 - 3 description: Service Stop - Windows - Stop service by killing process type: bool - name: T1529 - 1 description: System Shutdown/Reboot - Shutdown System - Windows type: bool - name: T1529 - 2 description: System Shutdown/Reboot - Restart System - Windows type: bool - name: T1529 - 12 description: Logoff System - Windows type: bool - name: T1529 - 13 description: ESXi - Terminates VMs using pkill type: bool - name: T1529 - 14 description: ESXi - Avoslocker enumerates VMs and forcefully kills VMs type: bool - name: T1529 - 15 description: ESXi - vim-cmd Used to Power Off VMs type: bool - name: T1010 - 1 description: Application Window Discovery - List Process Main Windows - C# .NET type: bool - name: T1217 - 5 description: Browser Bookmark Discovery - List Google Chrome Bookmarks on Windows with powershell type: bool - name: T1217 - 6 description: Browser Bookmark Discovery - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt type: bool - name: T1217 - 7 description: Browser Bookmark Discovery - List Mozilla Firefox bookmarks on Windows with command prompt type: bool - name: T1217 - 8 description: Browser Bookmark Discovery - List Internet Explorer Bookmarks using the command prompt type: bool - name: T1217 - 10 description: Extract Edge Browsing History type: bool - name: T1217 - 11 description: Extract chrome Browsing History type: bool - name: T1087.002 - 1 description: Domain Account - Enumerate all accounts (Domain) type: bool - name: T1087.002 - 2 description: Domain Account - Enumerate all accounts via PowerShell (Domain) type: bool - name: T1087.002 - 3 description: Domain Account - Enumerate logged on users via CMD (Domain) type: bool - name: T1087.002 - 4 description: Domain Account - Automated AD Recon (ADRecon) type: bool - name: T1087.002 - 5 description: Domain Account - Adfind -Listing password policy type: bool - name: T1087.002 - 6 description: Domain Account - Adfind - Enumerate Active Directory Admins type: bool - name: T1087.002 - 7 description: Domain Account - Adfind - Enumerate Active Directory User Objects type: bool - name: T1087.002 - 8 description: Domain Account - Adfind - Enumerate Active Directory Exchange AD Objects type: bool - name: T1087.002 - 9 description: Domain Account - Enumerate Default Domain Admin Details (Domain) type: bool - name: T1087.002 - 10 description: Domain Account - Enumerate Active Directory for Unconstrained Delegation type: bool - name: T1087.002 - 11 description: Get-DomainUser with PowerView type: bool - name: T1087.002 - 12 description: Enumerate Active Directory Users with ADSISearcher type: bool - name: T1087.002 - 13 description: Enumerate Linked Policies In ADSISearcher Discovery type: bool - name: T1087.002 - 14 description: Enumerate Root Domain linked policies Discovery type: bool - name: T1087.002 - 15 description: WinPwn - generaldomaininfo type: bool - name: T1087.002 - 16 description: Kerbrute - userenum type: bool - name: T1087.002 - 17 description: Wevtutil - Discover NTLM Users Remote type: bool - name: T1087.002 - 18 description: Suspicious LAPS Attributes Query with Get-ADComputer all properties type: bool - name: T1087.002 - 19 description: Suspicious LAPS Attributes Query with Get-ADComputer ms-Mcs-AdmPwd property type: bool - name: T1087.002 - 20 description: Suspicious LAPS Attributes Query with Get-ADComputer all properties and SearchScope type: bool - name: T1087.002 - 21 description: Suspicious LAPS Attributes Query with adfind all properties type: bool - name: T1087.002 - 22 description: Suspicious LAPS Attributes Query with adfind ms-Mcs-AdmPwd type: bool - name: T1069.002 - 1 description: Domain Groups - Basic Permission Groups Discovery Windows (Domain) type: bool - name: T1069.002 - 2 description: Domain Groups - Permission Groups Discovery PowerShell (Domain) type: bool - name: T1069.002 - 3 description: Domain Groups - Elevated group enumeration using net group (Domain) type: bool - name: T1069.002 - 4 description: Domain Groups - Find machines where user has local admin access (PowerView) type: bool - name: T1069.002 - 5 description: Domain Groups - Find local admins on all machines in domain (PowerView) type: bool - name: T1069.002 - 6 description: Domain Groups - Find Local Admins via Group Policy (PowerView) type: bool - name: T1069.002 - 7 description: Domain Groups - Enumerate Users Not Requiring Pre Auth (ASRepRoast) type: bool - name: T1069.002 - 8 description: Domain Groups - Adfind - Query Active Directory Groups type: bool - name: T1482 - 1 description: Domain Trust Discovery - Windows - Discover domain trusts with dsquery type: bool - name: T1482 - 2 description: Domain Trust Discovery - Windows - Discover domain trusts with nltest type: bool - name: T1482 - 3 description: Domain Trust Discovery - Powershell enumerate domains and forests type: bool - name: T1482 - 4 description: Domain Trust Discovery - Adfind - Enumerate Active Directory OUs type: bool - name: T1482 - 5 description: Domain Trust Discovery - Adfind - Enumerate Active Directory Trusts type: bool - name: T1482 - 6 description: Domain Trust Discovery - Get-DomainTrust with PowerView type: bool - name: T1482 - 7 description: Domain Trust Discovery - Get-ForestTrust with PowerView type: bool - name: T1083 - 1 description: File and Directory Discovery - File and Directory Discovery (cmd.exe) type: bool - name: T1083 - 2 description: File and Directory Discovery - File and Directory Discovery (PowerShell) type: bool - name: T1083 - 5 description: Simulating MAZE Directory Enumeration type: bool - name: T1083 - 6 description: Launch DirLister Executable type: bool - name: T1083 - 7 description: ESXi - Enumerate VMDKs available on an ESXi Host type: bool - name: T1087.001 - 8 description: Local Account - Enumerate all accounts on Windows (Local) type: bool - name: T1087.001 - 9 description: Local Account - Enumerate all accounts via PowerShell (Local) type: bool - name: T1087.001 - 10 description: Local Account - Enumerate logged on users via CMD (Local) type: bool - name: T1069.001 - 2 description: Local Groups - Basic Permission Groups Discovery Windows (Local) type: bool - name: T1069.001 - 3 description: Local Groups - Permission Groups Discovery PowerShell (Local) type: bool - name: T1069.001 - 4 description: Local Groups - SharpHound3 - LocalAdmin type: bool - name: T1069.001 - 5 description: Local Groups - Wmic Group Discovery type: bool - name: T1069.001 - 6 description: Local Groups - WMIObject Group Discovery type: bool - name: T1046 - 3 description: Network Service Scanning - Port Scan NMap for Windows type: bool - name: T1046 - 4 description: Network Service Scanning - Port Scan using python type: bool - name: T1046 - 5 description: WinPwn - spoolvulnscan type: bool - name: T1046 - 6 description: WinPwn - MS17-10 type: bool - name: T1046 - 7 description: WinPwn - bluekeep type: bool - name: T1046 - 8 description: WinPwn - fruit type: bool - name: T1046 - 10 description: Port-Scanning /24 Subnet with PowerShell type: bool - name: T1046 - 11 description: Remote Desktop Services Discovery via PowerShell type: bool - name: T1135 - 4 description: Network Share Discovery - Network Share Discovery command prompt type: bool - name: T1135 - 5 description: Network Share Discovery - Network Share Discovery PowerShell type: bool - name: T1135 - 6 description: Network Share Discovery - View available share drives type: bool - name: T1135 - 7 description: Network Share Discovery - Share Discovery with PowerView type: bool - name: T1135 - 8 description: PowerView ShareFinder type: bool - name: T1135 - 9 description: WinPwn - shareenumeration type: bool - name: T1135 - 10 description: Network Share Discovery via dir command type: bool - name: T1135 - 11 description: Enumerate All Network Shares with SharpShares type: bool - name: T1135 - 12 description: Enumerate All Network Shares with Snaffler type: bool - name: T1201 - 6 description: Password Policy Discovery - Examine local password policy - Windows Windows type: bool - name: T1201 - 7 description: Examine domain password policy - Windows Windows type: bool - name: T1201 - 9 description: Get-DomainPolicy with PowerView type: bool - name: T1201 - 10 description: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy type: bool - name: T1201 - 11 description: Enumerate Active Directory Password Policy with get-addefaultdomainpasswordpolicy type: bool - name: T1120 - 1 description: Peripheral Device Discovery - Win32_PnPEntity Hardware Inventory type: bool - name: T1120 - 2 description: WinPwn - printercheck type: bool - name: T1120 - 3 description: Peripheral Device Discovery via fsutil type: bool - name: T1120 - 4 description: Get Printer Device List via PowerShell Command type: bool - name: T1057 - 2 description: Process Discovery - Process Discovery - tasklist type: bool - name: T1057 - 3 description: Process Discovery - Get-Process type: bool - name: T1057 - 4 description: Process Discovery - get-wmiObject type: bool - name: T1057 - 5 description: Process Discovery - wmic process type: bool - name: T1057 - 6 description: Discover Specific Process - tasklist type: bool - name: T1057 - 7 description: Process Discovery - Process Hacker type: bool - name: T1057 - 8 description: Process Discovery - PC Hunter type: bool - name: T1057 - 9 description: Launch Taskmgr from cmd to View running processes type: bool - name: T1012 - 1 description: Query Registry - Query Registry type: bool - name: T1012 - 2 description: Query Registry with Powershell cmdlets type: bool - name: T1012 - 3 description: Enumerate COM Objects in Registry with Powershell type: bool - name: T1012 - 4 description: Reg query for AlwaysInstallElevated status type: bool - name: T1012 - 5 description: Check Software Inventory Logging (SIL) status via Registry type: bool - name: T1012 - 6 description: Inspect SystemStartOptions Value in Registry type: bool - name: T1018 - 1 description: Remote System Discovery - Remote System Discovery - net type: bool - name: T1018 - 2 description: Remote System Discovery - Remote System Discovery - net group Domain Computers type: bool - name: T1018 - 3 description: Remote System Discovery - Remote System Discovery - nltest type: bool - name: T1018 - 4 description: Remote System Discovery - Remote System Discovery - ping sweep type: bool - name: T1018 - 5 description: Remote System Discovery - Remote System Discovery - arp type: bool - name: T1018 - 8 description: Remote System Discovery - Remote System Discovery - nslookup type: bool - name: T1018 - 9 description: Remote System Discovery - Remote System Discovery - adidnsdump type: bool - name: T1018 - 10 description: Remote System Discovery - Adfind - Enumerate Active Directory Computer Objects type: bool - name: T1018 - 11 description: Remote System Discovery - Adfind - Enumerate Active Directory Domain Controller Objects type: bool - name: T1018 - 16 description: Enumerate domain computers within Active Directory using DirectorySearcher type: bool - name: T1018 - 17 description: Enumerate Active Directory Computers with Get-AdComputer Domain Controller Objects type: bool - name: T1018 - 18 description: Enumerate Active Directory Computers with ADSISearcher Domain Controller Objects type: bool - name: T1018 - 19 description: Get-DomainController with PowerView Domain Controller Objects type: bool - name: T1018 - 20 description: Get-WmiObject to Enumerate Domain Controllers type: bool - name: T1018 - 21 description: Remote System Discovery - net group Domain Controller type: bool - name: T1018 - 22 description: Enumerate Remote Hosts with Netscan type: bool - name: T1518.001 - 1 description: Security Software Discovery - Security Software Discovery type: bool - name: T1518.001 - 2 description: Security Software Discovery - Security Software Discovery - powershell type: bool - name: T1518.001 - 5 description: Security Software Discovery - Security Software Discovery - Sysmon Service type: bool - name: T1518.001 - 6 description: Security Software Discovery - Security Software Discovery - AV Discovery via WMI type: bool - name: T1518 - 1 description: Software Discovery - Find and Display Internet Explorer Browser Version type: bool - name: T1518 - 2 description: Software Discovery - Applications Installed type: bool - name: T1082 - 1 description: System Information Discovery - System Information Discovery type: bool - name: T1082 - 6 description: System Information Discovery - Hostname Discovery (Windows) type: bool - name: T1082 - 8 description: System Information Discovery - Windows MachineGUID Discovery type: bool - name: T1082 - 9 description: System Information Discovery - Griffon Recon type: bool - name: T1082 - 10 description: System Information Discovery - Environment variables discovery on windows type: bool - name: T1082 - 14 description: WinPwn - winPEAS type: bool - name: T1082 - 15 description: WinPwn - itm4nprivesc type: bool - name: T1082 - 16 description: WinPwn - Powersploits privesc checks type: bool - name: T1082 - 17 description: WinPwn - General privesc checks type: bool - name: T1082 - 18 description: WinPwn - GeneralRecon type: bool - name: T1082 - 19 description: WinPwn - Morerecon type: bool - name: T1082 - 20 description: WinPwn - RBCD-Check type: bool - name: T1082 - 21 description: WinPwn - PowerSharpPack - Watson searching for missing windows patches type: bool - name: T1082 - 22 description: WinPwn - PowerSharpPack - Sharpup checking common Privesc vectors type: bool - name: T1082 - 23 description: WinPwn - PowerSharpPack - Seatbelt type: bool - name: T1082 - 27 description: System Information Discovery with WMIC type: bool - name: T1082 - 28 description: System Information Discovery type: bool - name: T1082 - 29 description: Check computer location type: bool - name: T1082 - 30 description: BIOS Information Discovery through Registry type: bool - name: T1082 - 31 description: ESXi - VM Discovery using ESXCLI type: bool - name: T1082 - 32 description: ESXi - Darkside system information discovery type: bool - name: T1082 - 34 description: operating system discovery type: bool - name: T1082 - 35 description: Check OS version via "ver" command type: bool - name: T1082 - 36 description: Display volume shadow copies with "vssadmin" type: bool - name: T1082 - 37 description: Identify System Locale and Regional Settings with PowerShell type: bool - name: T1082 - 38 description: Enumerate Available Drives via gdr type: bool - name: T1082 - 39 description: Discover OS Product Name via Registry type: bool - name: T1082 - 40 description: Discover OS Build Number via Registry type: bool - name: T1016 - 1 description: System Network Configuration Discovery - System Network Configuration Discovery on Windows type: bool - name: T1016 - 2 description: System Network Configuration Discovery - List Windows Firewall Rules type: bool - name: T1016 - 4 description: System Network Configuration Discovery - System Network Configuration Discovery (TrickBot Style) type: bool - name: T1016 - 5 description: System Network Configuration Discovery - List Open Egress Ports type: bool - name: T1016 - 6 description: System Network Configuration Discovery - Adfind - Enumerate Active Directory Subnet Objects type: bool - name: T1016 - 7 description: System Network Configuration Discovery - Qakbot Recon type: bool - name: T1049 - 1 description: System Network Connections Discovery - System Network Connections Discovery type: bool - name: T1049 - 2 description: System Network Connections Discovery - System Network Connections Discovery with PowerShell type: bool - name: T1049 - 4 description: System Network Connections Discovery - System Discovery using SharpView type: bool - name: T1033 - 1 description: System Owner/User Discovery - System Owner/User Discovery type: bool - name: T1033 - 3 description: System Owner/User Discovery - Find computers where user has session - Stealth mode (PowerView) type: bool - name: T1033 - 4 description: User Discovery With Env Vars PowerShell Script type: bool - name: T1033 - 5 description: GetCurrent User with PowerShell Script type: bool - name: T1033 - 6 description: System Discovery - SocGholish whoami type: bool - name: T1033 - 7 description: System Owner/User Discovery Using Command Prompt type: bool - name: T1007 - 1 description: System Service Discovery - System Service Discovery type: bool - name: T1007 - 2 description: System Service Discovery - System Service Discovery - net.exe type: bool - name: T1007 - 4 description: Get-Service Execution type: bool - name: T1124 - 1 description: System Time Discovery - System Time Discovery type: bool - name: T1124 - 2 description: System Time Discovery - System Time Discovery - PowerShell type: bool - name: T1124 - 4 description: System Time Discovery W32tm as a Delay type: bool - name: T1124 - 5 description: System Time with Windows time Command type: bool - name: T1124 - 6 description: Discover System Time Zone via Registry type: bool - name: T1071.004 - 1 description: DNS - DNS Large Query Volume type: bool - name: T1071.004 - 2 description: DNS - DNS Regular Beaconing type: bool - name: T1071.004 - 3 description: DNS - DNS Long Domain Query type: bool - name: T1071.004 - 4 description: DNS - DNS C2 type: bool - name: T1573 - 1 description: Encrypted Channel - OpenSSL C2 type: bool - name: T1105 - 7 description: Ingress Tool Transfer - certutil download (urlcache) type: bool - name: T1105 - 8 description: Ingress Tool Transfer - certutil download (verifyctl) type: bool - name: T1105 - 9 description: Ingress Tool Transfer - Windows - BITSAdmin BITS Download type: bool - name: T1105 - 10 description: Ingress Tool Transfer - Windows - PowerShell Download type: bool - name: T1105 - 11 description: Ingress Tool Transfer - OSTAP Worming Activity type: bool - name: T1105 - 12 description: Ingress Tool Transfer - svchost writing a file to a UNC path type: bool - name: T1105 - 13 description: Ingress Tool Transfer - Download a File with Windows Defender MpCmdRun.exe type: bool - name: T1105 - 15 description: Ingress Tool Transfer - File Download via PowerShell type: bool - name: T1105 - 16 description: Ingress Tool Transfer - File download with finger.exe on Windows type: bool - name: T1105 - 17 description: Ingress Tool Transfer - Download a file with IMEWDBLD.exe type: bool - name: T1105 - 18 description: Ingress Tool Transfer - Curl Download File type: bool - name: T1090.001 - 3 description: Internal Proxy - portproxy reg key type: bool - name: T1095 - 1 description: Non-Application Layer Protocol - ICMP C2 type: bool - name: T1095 - 2 description: Non-Application Layer Protocol - Netcat C2 type: bool - name: T1095 - 3 description: Non-Application Layer Protocol - Powercat C2 type: bool - name: T1571 - 1 description: Non-Standard Port - Testing usage of uncommonly used port with PowerShell type: bool - name: T1572 - 1 description: Protocol Tunneling - DNS over HTTPS Large Query Volume type: bool - name: T1572 - 2 description: Protocol Tunneling - DNS over HTTPS Regular Beaconing type: bool - name: T1572 - 3 description: Protocol Tunneling - DNS over HTTPS Long Domain Query type: bool - name: T1572 - 4 description: run ngrok type: bool - name: T1219 - 1 description: Remote Access Software - TeamViewer Files Detected Test on Windows type: bool - name: T1219 - 2 description: Remote Access Software - AnyDesk Files Detected Test on Windows type: bool - name: T1219 - 3 description: Remote Access Software - LogMeIn Files Detected Test on Windows type: bool - name: T1219 - 4 description: Remote Access Software - GoToAssist Files Detected Test on Windows type: bool - name: T1219 - 5 description: Remote Access Software - ScreenConnect Application Download and Install on Windows type: bool - name: T1219 - 6 description: Ammyy Admin Software Execution type: bool - name: T1219 - 7 description: RemotePC Software Execution type: bool - name: T1219 - 8 description: NetSupport - RAT Execution type: bool - name: T1219 - 9 description: UltraViewer - RAT Execution type: bool - name: T1219 - 10 description: UltraVNC Execution type: bool - name: T1219 - 11 description: MSP360 Connect Execution type: bool - name: T1219 - 12 description: RustDesk Files Detected Test on Windows type: bool - name: T1219 - 13 description: Splashtop Execution type: bool - name: T1219 - 14 description: Splashtop Streamer Execution type: bool - name: T1219 - 15 description: Microsoft App Quick Assist Execution type: bool - name: T1132.001 - 2 description: Standard Encoding - XOR Encoded data. type: bool - name: T1071.001 - 1 description: Web Protocols - Malicious User Agents - Powershell type: bool - name: T1071.001 - 2 description: Web Protocols - Malicious User Agents - CMD type: bool - name: T1559.002 - 1 description: Dynamic Data Exchange - Execute Commands type: bool - name: T1559.002 - 2 description: Dynamic Data Exchange - Execute PowerShell script via Word DDE type: bool - name: T1559.002 - 3 description: Dynamic Data Exchange - DDEAUTO type: bool - name: T1559 - 1 description: Cobalt Strike Artifact Kit pipe type: bool - name: T1559. - 2 description: Cobalt Strike Lateral Movement (psexec_psh) pipe type: bool - name: T1559 - 3 description: Cobalt Strike SSH (postex_ssh) pipe type: bool - name: T1559 - 4 description: Cobalt Strike post-exploitation pipe (4.2 and later) type: bool - name: T1559 - 5 description: Cobalt Strike post-exploitation pipe (before 4.2) type: bool - name: T1204.002 - 1 description: Malicious File - OSTap Style Macro Execution type: bool - name: T1204.002 - 2 description: Malicious File - OSTap Payload Download type: bool - name: T1204.002 - 3 description: Malicious File - Maldoc choice flags command execution type: bool - name: T1204.002 - 4 description: Malicious File - OSTAP JS version type: bool - name: T1204.002 - 5 description: Malicious File - Office launching .bat file from AppData type: bool - name: T1204.002 - 6 description: Malicious File - Excel 4 Macro type: bool - name: T1204.002 - 7 description: Malicious File - Headless Chrome code execution via VBA type: bool - name: T1204.002 - 8 description: Malicious File - Potentially Unwanted Applications (PUA) type: bool - name: T1204.002 - 9 description: Malicious File - Office Generic Payload Download type: bool - name: LNK Payload Download - 10 description: Malicious File - Office Generic Payload Download type: bool - name: LNK Payload Download - 11 description: Mirror Blast Emulation type: bool - name: T1106 - 1 description: Native API - Execution through API - CreateProcess type: bool - name: T1106 - 2 description: Native API - WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique type: bool - name: T1106 - 3 description: WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique type: bool - name: T1106 - 4 description: WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique type: bool - name: T1106 - 5 description: Run Shellcode via Syscall in Go type: bool - name: T1059.001 - 1 description: PowerShell - Mimikatz type: bool - name: T1059.001 - 2 description: PowerShell - Run BloodHound from local disk type: bool - name: T1059.001 - 3 description: PowerShell - Run Bloodhound from Memory using Download Cradle type: bool - name: T1059.001 - 4 description: PowerShell - Obfuscation Tests type: bool - name: T1059.001 - 5 description: PowerShell - Mimikatz - Cradlecraft PsSendKeys type: bool - name: T1059.001 - 6 description: PowerShell - Invoke-AppPathBypass type: bool - name: T1059.001 - 7 description: PowerShell - Powershell MsXml COM object - with prompt type: bool - name: T1059.001 - 8 description: PowerShell - Powershell XML requests type: bool - name: T1059.001 - 9 description: PowerShell - Powershell invoke mshta.exe download type: bool - name: T1059.001 - 10 description: PowerShell - Powershell Invoke-DownloadCradle type: bool - name: T1059.001 - 11 description: PowerShell - PowerShell Fileless Script Execution type: bool - name: T1059.001 - 12 description: PowerShell - PowerShell Downgrade Attack type: bool - name: T1059.001 - 13 description: PowerShell - NTFS Alternate Data Stream Access type: bool - name: T1059.001 - 14 description: PowerShell - PowerShell Session Creation and Use type: bool - name: T1059.001 - 15 description: PowerShell - ATHPowerShellCommandLineParameter -Command parameter variations type: bool - name: T1059.001 - 16 description: PowerShell - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments type: bool - name: T1059.001 - 17 description: PowerShell - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations type: bool - name: T1059.001 - 18 description: PowerShell - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments type: bool - name: T1614 - 1 description: Get geolocation info through IP-Lookup services using curl Windows type: bool - name: T1614.001 - 1 description: Discover System Language by Registry Query type: bool - name: T1614.001 - 2 description: Discover System Language with chcp type: bool - name: T1614.001 - 7 description: Discover System Language with dism.exe type: bool - name: T1614.001 - 8 description: Discover System Language by Windows API Query type: bool - name: T1614.001 - 9 description: Discover System Language with WMIC type: bool - name: T1614.001 - 10 description: Discover System Language with Powershell type: bool - name: T1059.001 - 19 description: PowerShell - PowerShell Command Execution type: bool - name: T1059.001 - 20 description: PowerShell - PowerShell Invoke Known Malicious Cmdlets type: bool - name: T1059.001 - 21 description: PowerShell - PowerUp Invoke-AllChecks type: bool - name: T1569.002 - 1 description: Execute a Command as a Service (Windows) type: bool - name: T1569.002 - 2 description: Use PsExec to execute a command on a remote host (Windows) type: bool - name: T1569.002 - 4 description: BlackCat pre-encryption cmds with Lateral Movement (Windows) type: bool - name: T1569.002 - 5 description: Use RemCom to execute a command on a remote host (Windows) type: bool - name: T1569.002 - 6 description: Snake Malware Service Create (Windows) type: bool - name: T1569.002 - 7 description: Modifying ACL of Service Control Manager via SDET (Windows) type: bool - name: T1569.002 - 8 description: Pipe Creation - PsExec Tool Execution From Suspicious Locations (Windows) type: bool - name: T1072 - 1 description: Software Deployment Tools - Radmin Viewer Utility type: bool - name: T1072 - 2 description: PDQ Deploy RAT type: bool - name: T1072 - 3 description: Deploy 7-Zip Using Chocolatey type: bool - name: T1059.005 - 1 description: Visual Basic - Visual Basic script execution to gather local computer information type: bool - name: T1059.005 - 2 description: Visual Basic - Encoded VBS code execution type: bool - name: T1059.005 - 3 description: Visual Basic - Extract Memory via VBA type: bool - name: T1059.003 - 1 description: Windows Command Shell - Create and Execute Batch Script type: bool - name: T1059.003 - 2 description: Windows Command Shell - Writes text to a file and displays it. type: bool - name: T1059.003 - 3 description: Windows Command Shell - Suspicious Execution via Windows Command Shell type: bool - name: T1047 - 1 description: Windows Management Instrumentation - WMI Reconnaissance Users type: bool - name: T1047 - 2 description: Windows Management Instrumentation - WMI Reconnaissance Processes type: bool - name: T1047 - 3 description: Windows Management Instrumentation - WMI Reconnaissance Software type: bool - name: T1047 - 4 description: Windows Management Instrumentation - WMI Reconnaissance List Remote Services type: bool - name: T1047 - 5 description: Windows Management Instrumentation - WMI Execute Local Process type: bool - name: T1047 - 6 description: Windows Management Instrumentation - WMI Execute Remote Process type: bool - name: T1047 - 7 description: Windows Management Instrumentation - Create a Process using WMI Query and an Encoded Command type: bool - name: T1047 - 8 description: Windows Management Instrumentation - Create a Process using obfuscated Win32_Process type: bool - name: T1047 - 9 description: Windows Management Instrumentation - WMI Execute rundll32 type: bool - name: T1020 - 1 description: Automated Exfiltration - IcedID Botnet HTTP PUT type: bool - name: T1020 - 2 description: Exfiltration via Encrypted FTP type: bool - name: T1048 - 3 description: Exfiltration Over Alternative Protocol - DNSExfiltration (doh) type: bool - name: T1041 - 1 description: Exfiltration Over C2 Channel - C2 Data Exfiltration type: bool - name: T1041 - 2 description: Text Based Data Exfiltration using DNS subdomains type: bool - name: T1048.003 - 2 description: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Exfiltration Over Alternative Protocol - ICMP type: bool - name: T1048.003 - 4 description: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Exfiltration Over Alternative Protocol - HTTP type: bool - name: T1048.003 - 5 description: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - Exfiltration Over Alternative Protocol - SMTP type: bool - name: T1567 - 1 description: Exfiltration Over Web Service - Data Exfiltration with ConfigSecurityPolicy type: bool - name: T1021.003 - 1 description: Distributed Component Object Model - PowerShell Lateral Movement using MMC20 type: bool - name: T1021.003 - 2 description: PowerShell Lateral Movement Using Excel Application Object type: bool - name: T1563.002 - 1 description: RDP Hijacking - RDP hijacking type: bool - name: T1021.001 - 1 description: Remote Desktop Protocol - RDP to DomainController type: bool - name: T1021.001 - 2 description: Remote Desktop Protocol - RDP to Server type: bool - name: T1021.001 - 3 description: Remote Desktop Protocol - Changing RDP Port to Non Standard Port via Powershell type: bool - name: T1021.001 - 4 description: Remote Desktop Protocol - Changing RDP Port to Non Standard Port via Command_Prompt type: bool - name: T1021.002 - 1 description: SMB/Windows Admin Shares - Map admin share type: bool - name: T1021.002 - 2 description: SMB/Windows Admin Shares - Map Admin Share PowerShell type: bool - name: T1021.002 - 3 description: SMB/Windows Admin Shares - Copy and Execute File with PsExec type: bool - name: T1021.002 - 4 description: SMB/Windows Admin Shares - Execute command writing output to local Admin Share type: bool - name: T1021.006 - 1 description: Windows Remote Management - Enable Windows Remote Management type: bool - name: T1021.006 - 2 description: Windows Remote Management - Invoke-Command type: bool - name: T1021.006 - 3 description: Windows Remote Management - WinRM Access with Evil-WinRM type: bool - name: T1566.001 - 1 description: Spearphishing Attachment - Download Phishing Attachment - VBScript type: bool - name: T1566.001 - 2 description: Spearphishing Attachment - Word spawned a command shell and used an IP address in the command line type: bool precondition: SELECT OS From info() where OS = 'windows' sources: - query: | LET CommandTable = SELECT * FROM parse_csv(accessor="data", filename=''' Flag,Command T1654 - 1,Invoke-AtomicTest T1654 -TestNumbers 1 T1654 - 2,Invoke-AtomicTest T1654 -TestNumbers 2 T1652 - 1,Invoke-AtomicTest T1652 -TestNumbers 1 T1649 - 1,Invoke-AtomicTest T1649 -TestNumbers 1 T1622 - 1,Invoke-AtomicTest T1622 -TestNumbers 1 T1620 - 1,Invoke-AtomicTest T1620 -TestNumbers 1 T1615 - 1,Invoke-AtomicTest T1615 -TestNumbers 1 T1615 - 2,Invoke-AtomicTest T1615 -TestNumbers 2 T1615 - 3,Invoke-AtomicTest T1615 -TestNumbers 3 T1615 - 4,Invoke-AtomicTest T1615 -TestNumbers 4 T1615 - 5,Invoke-AtomicTest T1615 -TestNumbers 5 T1614 - 1,Invoke-AtomicTest T1614 -TestNumbers 1 T1614.001 - 1,Invoke-AtomicTest T1614.001 -TestNumbers 1 T1614.001 - 2,Invoke-AtomicTest T1614.001 -TestNumbers 2 T1614.001 - 7,Invoke-AtomicTest T1614.001 -TestNumbers 7 T1614.001 - 8,Invoke-AtomicTest T1614.001 -TestNumbers 8 T1614.001 - 9,Invoke-AtomicTest T1614.001 -TestNumbers 9 T1614.001 - 10,Invoke-AtomicTest T1614.001 -TestNumbers 10 T1592.001 - 1,Invoke-AtomicTest T1592.001 -TestNumbers 1 T1595.003 - 1,Invoke-AtomicTest T1595.003 -TestNumbers 1 T1574.008 - 1,Invoke-AtomicTest T1574.008 -TestNumbers 1 T1570 - 1,Invoke-AtomicTest T1570 -TestNumbers 1 T1570 - 2,Invoke-AtomicTest T1570 -TestNumbers 2 T1567.003 - 1,Invoke-AtomicTest T1567.003 -TestNumbers 1 T1567.002 - 1,Invoke-AtomicTest T1567.002 -TestNumbers 1 T1566.002 - 1,Invoke-AtomicTest T1566.002 -TestNumbers 1 T1564.006 - 1,Invoke-AtomicTest T1564.006 -TestNumbers 1 T1564.006 - 2,Invoke-AtomicTest T1564.006 -TestNumbers 2 T1564.006 - 3,Invoke-AtomicTest T1564.006 -TestNumbers 3 T1564.002 - 3,Invoke-AtomicTest T1564.002 -TestNumbers 3 T1562 - 1,Invoke-AtomicTest T1562 -TestNumbers 1 T1562.010 - 2,Invoke-AtomicTest T1562.010 -TestNumbers 2 T1562.010 - 3,Invoke-AtomicTest T1562.010 -TestNumbers 3 T1562.009 - 1,Invoke-AtomicTest T1562.009 -TestNumbers 1 T1562.006 - 5,Invoke-AtomicTest T1562.006 -TestNumbers 5 T1562.006 - 6,Invoke-AtomicTest T1562.006 -TestNumbers 6 T1562.006 - 7,Invoke-AtomicTest T1562.006 -TestNumbers 7 T1562.006 - 8,Invoke-AtomicTest T1562.006 -TestNumbers 8 T1562.006 - 9,Invoke-AtomicTest T1562.006 -TestNumbers 9 T1562.006 - 10,Invoke-AtomicTest T1562.006 -TestNumbers 10 T1562.006 - 11,Invoke-AtomicTest T1562.006 -TestNumbers 11 T1562.006 - 12,Invoke-AtomicTest T1562.006 -TestNumbers 12 T1562.006 - 13,Invoke-AtomicTest T1562.006 -TestNumbers 13 T1562.006 - 14,Invoke-AtomicTest T1562.006 -TestNumbers 14 T1562.003 - 11,Invoke-AtomicTest T1562.003 -TestNumbers 11 T1562.003 - 12,Invoke-AtomicTest T1562.003 -TestNumbers 12 T1558.002 - 1,Invoke-AtomicTest T1558.002 -TestNumbers 1 T1557.001 - 1,Invoke-AtomicTest T1557.001 -TestNumbers 1 T1555.004 - 1,Invoke-AtomicTest T1555.004 -TestNumbers 1 T1555.004 - 2,Invoke-AtomicTest T1555.004 -TestNumbers 2 T1553.006 - 1,Invoke-AtomicTest T1553.006 -TestNumbers 1 T1553.003 - 1,Invoke-AtomicTest T1553.003 -TestNumbers 1 T1547.015 - 1,Invoke-AtomicTest T1547.015 -TestNumbers 1 T1547.014 - 1,Invoke-AtomicTest T1547.014 -TestNumbers 1 T1547.014 - 2,Invoke-AtomicTest T1547.014 -TestNumbers 2 T1547.014 - 3,Invoke-AtomicTest T1547.014 -TestNumbers 3 T1547.012 - 1,Invoke-AtomicTest T1547.012 -TestNumbers 1 T1547.008 - 1,Invoke-AtomicTest T1547.008 -TestNumbers 1 T1547.006 - 4,Invoke-AtomicTest T1547.006 -TestNumbers 4 T1547.003 - 1,Invoke-AtomicTest T1547.003 -TestNumbers 1 T1547.003 - 2,Invoke-AtomicTest T1547.003 -TestNumbers 2 T1547.002 - 1,Invoke-AtomicTest T1547.002 -TestNumbers 1 T1546.015 - 1,Invoke-AtomicTest T1546.015 -TestNumbers 1 T1546.015 - 2,Invoke-AtomicTest T1546.015 -TestNumbers 2 T1546.015 - 3,Invoke-AtomicTest T1546.015 -TestNumbers 3 T1546.015 - 4,Invoke-AtomicTest T1546.015 -TestNumbers 4 T1542.001 - 1,Invoke-AtomicTest T1542.001 -TestNumbers 1 T1539 - 1,Invoke-AtomicTest T1539 -TestNumbers 1 T1539 - 2,Invoke-AtomicTest T1539 -TestNumbers 2 T1539 - 4,Invoke-AtomicTest T1539 -TestNumbers 4 T1505.005 - 1,Invoke-AtomicTest T1505.005 -TestNumbers 1 T1505.005 - 2,Invoke-AtomicTest T1505.005 -TestNumbers 2 T1505.004 - 1,Invoke-AtomicTest T1505.004 -TestNumbers 1 T1505.004 - 2,Invoke-AtomicTest T1505.004 -TestNumbers 2 T1204.003 - 1,Invoke-AtomicTest T1204.003 -TestNumbers 1 T1137.001 - 1,Invoke-AtomicTest T1137.001 -TestNumbers 1 T1195 - 1,Invoke-AtomicTest T1195-TestNumbers 1 T1134.005 - 1,Invoke-AtomicTest T1134.005 -TestNumbers 1 T1129 - 1,Invoke-AtomicTest T1129 -TestNumbers 1 T1125 - 1,Invoke-AtomicTest T1125 -TestNumbers 1 T1110.004 - 4,Invoke-AtomicTest T1110.004 -TestNumbers 4 T1091 - 1,Invoke-AtomicTest T1091 -TestNumbers 1 T1090.003 - 1,Invoke-AtomicTest T1090.003 -TestNumbers 1 T1090.003 - 2,Invoke-AtomicTest T1090.003 -TestNumbers 2 T1070.008 - 1,Invoke-AtomicTest T1070.008 -TestNumbers 1 T1070.008 - 4,Invoke-AtomicTest T1070.008 -TestNumbers 4 T1059.010 - 1,Invoke-AtomicTest T1059.010 -TestNumbers 1 T1059.007 - 1,Invoke-AtomicTest T1059.007 -TestNumbers 1 T1059.007 - 2,Invoke-AtomicTest T1059.007 -TestNumbers 2 T1055.015 - 1,Invoke-AtomicTest T1055.015 -TestNumbers 1 T1055.011 - 1,Invoke-AtomicTest T1055.011 -TestNumbers 1 T1055.003 - 1,Invoke-AtomicTest T1055.003 -TestNumbers 1 T1055.002 - 1,Invoke-AtomicTest T1055.002 -TestNumbers 1 T1039 - 1,Invoke-AtomicTest T1039 -TestNumbers 1 T1039 - 2,Invoke-AtomicTest T1039 -TestNumbers 2 T1036.007 - 1,Invoke-AtomicTest T1036.007 -TestNumbers 1 T1030 - 2,Invoke-AtomicTest T1030 -TestNumbers 2 T1027.007 - 1,Invoke-AtomicTest T1027.007 -TestNumbers 1 T1027.006 - 1,Invoke-AtomicTest T1027.006 -TestNumbers 1 T1025 - 1,Invoke-AtomicTest T1025 -TestNumbers 1 T1021.004 - 1,Invoke-AtomicTest T1021.004 -TestNumbers 1 T1021.004 - 2,Invoke-AtomicTest T1021.004 -TestNumbers 2 T1016.002 - 1,Invoke-AtomicTest T1016.002 -TestNumbers 1 T1016.001 - 1,Invoke-AtomicTest T1016.001 -TestNumbers 1 T1016.001 - 3,Invoke-AtomicTest T1016.001 -TestNumbers 3 T1016.001 - 4,Invoke-AtomicTest T1016.001 -TestNumbers 4 T1016.001 - 5,Invoke-AtomicTest T1016.001 -TestNumbers 5 T1016.001 - 6,Invoke-AtomicTest T1016.001 -TestNumbers 6 T1005 - 1,Invoke-AtomicTest T1005 -TestNumbers 1 T1003.005 - 1,Invoke-AtomicTest T1003.005 -TestNumbers 1 T1558.004 - 1,Invoke-AtomicTest T1558.004 -TestNumbers 1 T1558.004 - 2,Invoke-AtomicTest T1558.004 -TestNumbers 2 T1558.004 - 3,Invoke-AtomicTest T1558.004 -TestNumbers 3 T1056.004 - 1,Invoke-AtomicTest T1056.004 -TestNumbers 1 T1552.001 - 4,Invoke-AtomicTest T1552.001 -TestNumbers 4 T1552.001 - 5,Invoke-AtomicTest T1552.001 -TestNumbers 5 T1552.001 - 7,Invoke-AtomicTest T1552.001 -TestNumbers 7 T1552.001 - 8,Invoke-AtomicTest T1552.001 -TestNumbers 8 T1552.001 - 9,Invoke-AtomicTest T1552.001 -TestNumbers 9 T1552.001 - 10,Invoke-AtomicTest T1552.001 -TestNumbers 10 T1552.001 - 11,Invoke-AtomicTest T1552.001 -TestNumbers 11 T1552.001 - 12,Invoke-AtomicTest T1552.001 -TestNumbers 12 T1552.001 - 13,Invoke-AtomicTest T1552.001 -TestNumbers 13 T1552.001 - 14,Invoke-AtomicTest T1552.001 -TestNumbers 14 T1555 - 1,Invoke-AtomicTest T1555 -TestNumbers 1 T1555 - 2,Invoke-AtomicTest T1555 -TestNumbers 2 T1555 - 3,Invoke-AtomicTest T1555 -TestNumbers 3 T1555 - 4,Invoke-AtomicTest T1555 -TestNumbers 4 T1555 - 5,Invoke-AtomicTest T1555 -TestNumbers 5 T1555 - 6,Invoke-AtomicTest T1555 -TestNumbers 6 T1555 - 7,Invoke-AtomicTest T1555 -TestNumbers 7 T1555 - 8,Invoke-AtomicTest T1555 -TestNumbers 8 T1555.003 - 1,Invoke-AtomicTest T1555.003 -TestNumbers 1 T1555.003 - 3,Invoke-AtomicTest T1555.003 -TestNumbers 3 T1555.003 - 4,Invoke-AtomicTest T1555.003 -TestNumbers 4 T1555.003 - 5,Invoke-AtomicTest T1555.003 -TestNumbers 5 T1555.003 - 6,Invoke-AtomicTest T1555.003 -TestNumbers 6 T1555.003 - 7,Invoke-AtomicTest T1555.003 -TestNumbers 7 T1555.003 - 8,Invoke-AtomicTest T1555.003 -TestNumbers 8 T1555.003 - 10,Invoke-AtomicTest T1555.003 -TestNumbers 10 T1555.003 - 11,Invoke-AtomicTest T1555.003 -TestNumbers 11 T1555.003 - 12,Invoke-AtomicTest T1555.003 -TestNumbers 12 T1555.003 - 13,Invoke-AtomicTest T1555.003 -TestNumbers 13 T1555.003 - 15,Invoke-AtomicTest T1555.003 -TestNumbers 15 T1555.003 - 16,Invoke-AtomicTest T1555.003 -TestNumbers 16 T1555.003 - 17,Invoke-AtomicTest T1555.003 -TestNumbers 17 T1552.002 - 1,Invoke-AtomicTest T1552.002 -TestNumbers 1 T1552.002 - 2,Invoke-AtomicTest T1552.002 -TestNumbers 2 T1003.006 - 1,Invoke-AtomicTest T1003.006 -TestNumbers 1 T1003.006 - 1,Invoke-AtomicTest T1003.006 -TestNumbers 2 T1187 - 1,Invoke-AtomicTest T1187 -TestNumbers 1 T1187 - 2,Invoke-AtomicTest T1187 -TestNumbers 2 T1187 - 3,Invoke-AtomicTest T1187 -TestNumbers 3 T1056.002 - 2,Invoke-AtomicTest T1056.002 -TestNumbers 2 T1558.001 - 1,Invoke-AtomicTest T1558.001 -TestNumbers 1 T1558.001 - 2,Invoke-AtomicTest T1558.001 -TestNumbers 2 T1552.006 - 1,Invoke-AtomicTest T1552.006 -TestNumbers 1 T1552.006 - 2,Invoke-AtomicTest T1552.006 -TestNumbers 2 T1558.003 - 1,Invoke-AtomicTest T1558.003 -TestNumbers 1 T1558.003 - 2,Invoke-AtomicTest T1558.003 -TestNumbers 2 T1558.003 - 3,Invoke-AtomicTest T1558.003 -TestNumbers 3 T1558.003 - 4,Invoke-AtomicTest T1558.003 -TestNumbers 4 T1558.003 - 5,Invoke-AtomicTest T1558.003 -TestNumbers 5 T1558.003 - 6,Invoke-AtomicTest T1558.003 -TestNumbers 6 T1558.003 - 7,Invoke-AtomicTest T1558.003 -TestNumbers 7 T1056.001 - 1,Invoke-AtomicTest T1056.001 -TestNumbers 1 T1003.004 - 1,Invoke-AtomicTest T1003.004 -TestNumbers 1 T1003.004 - 2,Invoke-AtomicTest T1003.004 -TestNumbers 2 T1003.001 - 1,Invoke-AtomicTest T1003.001 -TestNumbers 1 T1003.001 - 2,Invoke-AtomicTest T1003.001 -TestNumbers 2 T1003.001 - 3,Invoke-AtomicTest T1003.001 -TestNumbers 3 T1003.001 - 4,Invoke-AtomicTest T1003.001 -TestNumbers 4 T1003.001 - 5,Invoke-AtomicTest T1003.001 -TestNumbers 5 T1003.001 - 6,Invoke-AtomicTest T1003.001 -TestNumbers 6 T1003.001 - 7,Invoke-AtomicTest T1003.001 -TestNumbers 7 T1003.001 - 8,Invoke-AtomicTest T1003.001 -TestNumbers 8 T1003.001 - 9,Invoke-AtomicTest T1003.001 -TestNumbers 9 T1003.001 - 10,Invoke-AtomicTest T1003.001 -TestNumbers 10 T1003.001 - 11,Invoke-AtomicTest T1003.001 -TestNumbers 11 T1003.001 - 12,Invoke-AtomicTest T1003.001 -TestNumbers 12 T1003.001 - 13,Invoke-AtomicTest T1003.001 -TestNumbers 13 T1003.001 - 14,Invoke-AtomicTest T1003.001 -TestNumbers 14 T1003.003 - 1,Invoke-AtomicTest T1003.003 -TestNumbers 1 T1003.003 - 2,Invoke-AtomicTest T1003.003 -TestNumbers 2 T1003.003 - 3,Invoke-AtomicTest T1003.003 -TestNumbers 3 T1003.003 - 4,Invoke-AtomicTest T1003.003 -TestNumbers 4 T1003.003 - 5,Invoke-AtomicTest T1003.003 -TestNumbers 5 T1003.003 - 6,Invoke-AtomicTest T1003.003 -TestNumbers 6 T1003.003 - 7,Invoke-AtomicTest T1003.003 -TestNumbers 7 T1003.003 - 8,Invoke-AtomicTest T1003.003 -TestNumbers 8 T1003.003 - 9,Invoke-AtomicTest T1003.003 -TestNumbers 9 T1040 - 4,Invoke-AtomicTest T1040 -TestNumbers 4 T1040 - 5,Invoke-AtomicTest T1040 -TestNumbers 5 T1040 - 6,Invoke-AtomicTest T1040 -TestNumbers 6 T1040 - 7,Invoke-AtomicTest T1040 -TestNumbers 7 T1040 - 16,Invoke-AtomicTest T1040 -TestNumbers 16 T1003 - 1,Invoke-AtomicTest T1003 -TestNumbers 1 T1003 - 2,Invoke-AtomicTest T1003 -TestNumbers 2 T1003 - 3,Invoke-AtomicTest T1003 -TestNumbers 3 T1110.002 - 1,Invoke-AtomicTest T1110.002 -TestNumbers 1 T1556.002 - 1,Invoke-AtomicTest T1556.002 -TestNumbers 1 T1556.002 - 2,Invoke-AtomicTest T1556.002 -TestNumbers 2 T1110.001 - 1,Invoke-AtomicTest T1110.001 -TestNumbers 1 T1110.001 - 2,Invoke-AtomicTest T1110.001 -TestNumbers 2 T1110.001 - 4,Invoke-AtomicTest T1110.001 -TestNumbers 4 T1110.001 - 8,Invoke-AtomicTest T1110.001 -TestNumbers 8 T1110.003 - 1,Invoke-AtomicTest T1110.003 -TestNumbers 1 T1110.003 - 2,Invoke-AtomicTest T1110.003 -TestNumbers 2 T1110.003 - 3,Invoke-AtomicTest T1110.003 -TestNumbers 3 T1110.003 - 5,Invoke-AtomicTest T1110.003 -TestNumbers 5 T1110.003 - 6,Invoke-AtomicTest T1110.003 -TestNumbers 6 T1110.003 - 8,Invoke-AtomicTest T1110.003 -TestNumbers 8 T1552.004 - 1,Invoke-AtomicTest T1552.004 -TestNumbers 1 T1552.004 - 9,Invoke-AtomicTest T1552.004 -TestNumbers 9 T1552.004 - 10,Invoke-AtomicTest T1552.004 -TestNumbers 10 T1552.004 - 11,Invoke-AtomicTest T1552.004 -TestNumbers 11 T1552.004 - 12,Invoke-AtomicTest T1552.004 -TestNumbers 12 T1552.004 - 13,Invoke-AtomicTest T1552.004 -TestNumbers 13 T1552.004 - 14,Invoke-AtomicTest T1552.004 -TestNumbers 14 T1003.002 - 1,Invoke-AtomicTest T1003.002 -TestNumbers 1 T1003.002 - 2,Invoke-AtomicTest T1003.002 -TestNumbers 2 T1003.002 - 3,Invoke-AtomicTest T1003.002 -TestNumbers 3 T1003.002 - 4,Invoke-AtomicTest T1003.002 -TestNumbers 4 T1003.002 - 5,Invoke-AtomicTest T1003.002 -TestNumbers 5 T1003.002 - 6,Invoke-AtomicTest T1003.002 -TestNumbers 6 T1003.002 - 7,Invoke-AtomicTest T1003.002 -TestNumbers 7 T1003.002 - 8,Invoke-AtomicTest T1003.002 -TestNumbers 8 T1560 - 1,Invoke-AtomicTest T1560 -TestNumbers 1 T1560.001 - 1,Invoke-AtomicTest T1560.001 -TestNumbers 1 T1560.001 - 2,Invoke-AtomicTest T1560.001 -TestNumbers 2 T1560.001 - 3,Invoke-AtomicTest T1560.001 -TestNumbers 3 T1560.001 - 4,Invoke-AtomicTest T1560.001 -TestNumbers 4 T1560.001 - 10,Invoke-AtomicTest T1560.001 -TestNumbers 10 T1560.001 - 11,Invoke-AtomicTest T1560.001 -TestNumbers 11 T1123 - 1,Invoke-AtomicTest T1123 -TestNumbers 1 T1123 - 2,Invoke-AtomicTest T1123 -TestNumbers 2 T1119 - 1,Invoke-AtomicTest T1119 -TestNumbers 1 T1119 - 2,Invoke-AtomicTest T1119 -TestNumbers 2 T1119 - 3,Invoke-AtomicTest T1119 -TestNumbers 3 T1119 - 4,Invoke-AtomicTest T1119 -TestNumbers 4 T1115 - 1,Invoke-AtomicTest T1115 -TestNumbers 1 T1115 - 2,Invoke-AtomicTest T1115 -TestNumbers 2 T1115 - 4,Invoke-AtomicTest T1115 -TestNumbers 4 T1074.001 - 1,Invoke-AtomicTest T1074.001 -TestNumbers 1 T1074.001 - 3,Invoke-AtomicTest T1074.001 -TestNumbers 3 T1114.001 - 1,Invoke-AtomicTest T1114.001 -TestNumbers 1 T1113 - 7,Invoke-AtomicTest T1113 -TestNumbers 7 T1113 - 8,Invoke-AtomicTest T1113 -TestNumbers 8 T1113 - 9,Invoke-AtomicTest T1113 -TestNumbers 9 T1546.008 - 1,Invoke-AtomicTest T1546.008 -TestNumbers 1 T1546.008 - 2,Invoke-AtomicTest T1546.008 -TestNumbers 2 T1546.008 - 3,Invoke-AtomicTest T1546.008 -TestNumbers 3 T1546.008 - 4,Invoke-AtomicTest T1546.008 -TestNumbers 4 T1546.008 - 5,Invoke-AtomicTest T1546.008 -TestNumbers 5 T1546.008 - 6,Invoke-AtomicTest T1546.008 -TestNumbers 6 T1546.008 - 7,Invoke-AtomicTest T1546.008 -TestNumbers 7 T1546.008 - 8,Invoke-AtomicTest T1546.008 -TestNumbers 8 T1546.010 - 1,Invoke-AtomicTest T1546.010 -TestNumbers 1 T1546.011 - 1,Invoke-AtomicTest T1546.011 -TestNumbers 1 T1546.011 - 2,Invoke-AtomicTest T1546.011 -TestNumbers 2 T1546.011 - 3,Invoke-AtomicTest T1546.011 -TestNumbers 3 T1055.004 - 1,Invoke-AtomicTest T1055.004 -TestNumbers 1 T1055.004 - 2,Invoke-AtomicTest T1055.004 -TestNumbers 2 T1055.004 - 3,Invoke-AtomicTest T1055.004 -TestNumbers 3 T1053.002 - 1,Invoke-AtomicTest T1053.002 -TestNumbers 1 T1548.002 - 1,Invoke-AtomicTest T1548.002 -TestNumbers 1 T1548.002 - 2,Invoke-AtomicTest T1548.002 -TestNumbers 2 T1548.002 - 3,Invoke-AtomicTest T1548.002 -TestNumbers 3 T1548.002 - 4,Invoke-AtomicTest T1548.002 -TestNumbers 4 T1548.002 - 5,Invoke-AtomicTest T1548.002 -TestNumbers 5 T1548.002 - 6,Invoke-AtomicTest T1548.002 -TestNumbers 6 T1548.002 - 7,Invoke-AtomicTest T1548.002 -TestNumbers 7 T1548.002 - 8,Invoke-AtomicTest T1548.002 -TestNumbers 8 T1548.002 - 9,Invoke-AtomicTest T1548.002 -TestNumbers 9 T1548.002 - 10,Invoke-AtomicTest T1548.002 -TestNumbers 10 T1548.002 - 11,Invoke-AtomicTest T1548.002 -TestNumbers 11 T1548.002 - 12,Invoke-AtomicTest T1548.002 -TestNumbers 12 T1548.002 - 13,Invoke-AtomicTest T1548.002 -TestNumbers 13 T1548.002 - 14,Invoke-AtomicTest T1548.002 -TestNumbers 14 T1548.002 - 15,Invoke-AtomicTest T1548.002 -TestNumbers 15 T1548.002 - 16,Invoke-AtomicTest T1548.002 -TestNumbers 16 T1548.002 - 17,Invoke-AtomicTest T1548.002 -TestNumbers 17 T1548.002 - 18,Invoke-AtomicTest T1548.002 -TestNumbers 18 T1548.002 - 19,Invoke-AtomicTest T1548.002 -TestNumbers 19 T1548.002 - 20,Invoke-AtomicTest T1548.002 -TestNumbers 20 T1548.002 - 21,Invoke-AtomicTest T1548.002 -TestNumbers 21 T1548.002 - 22,Invoke-AtomicTest T1548.002 -TestNumbers 22 T1548.002 - 23,Invoke-AtomicTest T1548.002 -TestNumbers 23 T1548.002 - 24,Invoke-AtomicTest T1548.002 -TestNumbers 24 T1548.002 - 25,Invoke-AtomicTest T1548.002 -TestNumbers 25 T1548.002 - 26,Invoke-AtomicTest T1548.002 -TestNumbers 26 T1548.002 - 27,Invoke-AtomicTest T1548.002 -TestNumbers 27 T1574.012 - 1,Invoke-AtomicTest T1574.012 -TestNumbers 1 T1574.012 - 2,Invoke-AtomicTest T1574.012 -TestNumbers 2 T1574.012 - 3,Invoke-AtomicTest T1574.012 -TestNumbers 3 T1546.001 - 1,Invoke-AtomicTest T1546.001 -TestNumbers 1 T1134.002 - 1,Invoke-AtomicTest T1134.002 -TestNumbers 1 T1134.002 - 2,Invoke-AtomicTest T1134.002 -TestNumbers 2 T1574.001 - 1,Invoke-AtomicTest T1574.001 -TestNumbers 1 T1574.001 - 1,Invoke-AtomicTest T1574.001 -TestNumbers 1 T1574.001 - 2,Invoke-AtomicTest T1574.001 -TestNumbers 2 T1574.001 - 3,Invoke-AtomicTest T1574.001 -TestNumbers 3 T1574.001 - 4,Invoke-AtomicTest T1574.001 -TestNumbers 4 T1574.001 - 5,Invoke-AtomicTest T1574.001 -TestNumbers 5 T1574.001 - 6,Invoke-AtomicTest T1574.001 -TestNumbers 6 T1574.002 - 1,Invoke-AtomicTest T1574.002 -TestNumbers 1 T1078.001 - 1,Invoke-AtomicTest T1078.001 -TestNumbers 1 T1078.001 - 2,Invoke-AtomicTest T1078.001 -TestNumbers 2 T1055.001 - 1,Invoke-AtomicTest T1055.001 -TestNumbers 1 T1546.012 - 1,Invoke-AtomicTest T1546.012 -TestNumbers 1 T1546.012 - 2,Invoke-AtomicTest T1546.012 -TestNumbers 2 T1546.012 - 3,Invoke-AtomicTest T1546.012 -TestNumbers 3 T1078.003 - 1,Invoke-AtomicTest T1078.003 -TestNumbers 1 T1078.003 - 6,Invoke-AtomicTest T1078.003 -TestNumbers 6 T1078.003 - 7,Invoke-AtomicTest T1078.003 -TestNumbers 7 T1078.003 - 13,Invoke-AtomicTest T1078.003 -TestNumbers 13 T1037.001 - 1,Invoke-AtomicTest T1037.001 -TestNumbers 1 T1546.007 - 1,Invoke-AtomicTest T1546.007 -TestNumbers 1 T1134.004 - 1,Invoke-AtomicTest T1134.004 -TestNumbers 1 T1134.004 - 2,Invoke-AtomicTest T1134.004 -TestNumbers 2 T1134.004 - 3,Invoke-AtomicTest T1134.004 -TestNumbers 3 T1134.004 - 4,Invoke-AtomicTest T1134.004 -TestNumbers 4 T1134.004 - 5,Invoke-AtomicTest T1134.004 -TestNumbers 5 T1574.009 - 1,Invoke-AtomicTest T1574.009 -TestNumbers 1 T1547.010 - 1,Invoke-AtomicTest T1547.010 -TestNumbers 1 T1546.013 - 1,Invoke-AtomicTest T1546.013 -TestNumbers 1 T1055.012 - 1,Invoke-AtomicTest T1055.012 -TestNumbers 1 T1055.012 - 2,Invoke-AtomicTest T1055.012 -TestNumbers 2 T1055.012 - 3,Invoke-AtomicTest T1055.012 -TestNumbers 3 T1055.012 - 4,Invoke-AtomicTest T1055.012 -TestNumbers 4 T1055 - 1,Invoke-AtomicTest T1055 -TestNumbers 1 T1055 - 2,Invoke-AtomicTest T1055 -TestNumbers 2 T1547.001 - 1,Invoke-AtomicTest T1547.001 -TestNumbers 1 T1547.001 - 2,Invoke-AtomicTest T1547.001 -TestNumbers 2 T1547.001 - 3,Invoke-AtomicTest T1547.001 -TestNumbers 3 T1547.001 - 4,Invoke-AtomicTest T1547.001 -TestNumbers 4 T1547.001 - 5,Invoke-AtomicTest T1547.001 -TestNumbers 5 T1547.001 - 6,Invoke-AtomicTest T1547.001 -TestNumbers 6 T1547.001 - 7,Invoke-AtomicTest T1547.001 -TestNumbers 7 T1547.001 - 8,Invoke-AtomicTest T1547.001 -TestNumbers 8 T1547.001 - 9,Invoke-AtomicTest T1547.001 -TestNumbers 9 T1547.001 - 10,Invoke-AtomicTest T1547.001 -TestNumbers 10 T1547.001 - 11,Invoke-AtomicTest T1547.001 -TestNumbers 11 T1547.001 - 12,Invoke-AtomicTest T1547.001 -TestNumbers 12 T1547.001 - 13,Invoke-AtomicTest T1547.001 -TestNumbers 13 T1547.001 - 14,Invoke-AtomicTest T1547.001 -TestNumbers 14 T1547.001 - 15,Invoke-AtomicTest T1547.001 -TestNumbers 15 T1547.001 - 16,Invoke-AtomicTest T1547.001 -TestNumbers 16 T1547.001 - 17,Invoke-AtomicTest T1547.001 -TestNumbers 17 T1547.001 - 18,Invoke-AtomicTest T1547.001 -TestNumbers 18 T1547.001 - 19,Invoke-AtomicTest T1547.001 -TestNumbers 19 T1547.001 - 20,Invoke-AtomicTest T1547.001 -TestNumbers 20 T1053.005 - 1,Invoke-AtomicTest T1053.005 -TestNumbers 1 T1053.005 - 2,Invoke-AtomicTest T1053.005 -TestNumbers 2 T1053.005 - 3,Invoke-AtomicTest T1053.005 -TestNumbers 3 T1053.005 - 4,Invoke-AtomicTest T1053.005 -TestNumbers 4 T1053.005 - 5,Invoke-AtomicTest T1053.005 -TestNumbers 5 T1053.005 - 6,Invoke-AtomicTest T1053.005 -TestNumbers 6 T1053.005 - 7,Invoke-AtomicTest T1053.005 -TestNumbers 7 T1053.005 - 8,Invoke-AtomicTest T1053.005 -TestNumbers 8 T1053.005 - 9,Invoke-AtomicTest T1053.005 -TestNumbers 9 T1053.005 - 10,Invoke-AtomicTest T1053.005 -TestNumbers 10 T1053.005 - 11,Invoke-AtomicTest T1053.005 -TestNumbers 11 T1053.005 - 12,Invoke-AtomicTest T1053.005 -TestNumbers 12 T1546.002 - 1,Invoke-AtomicTest T1546.002 -TestNumbers 1 T1547.005 - 1,Invoke-AtomicTest T1547.005 -TestNumbers 1 T1547.005 - 2,Invoke-AtomicTest T1547.005 -TestNumbers 2 T1574.011 - 1,Invoke-AtomicTest T1574.011 -TestNumbers 1 T1574.011 - 2,Invoke-AtomicTest T1574.011 -TestNumbers 2 T1547.009 - 1,Invoke-AtomicTest T1547.009 -TestNumbers 1 T1547.009 - 2,Invoke-AtomicTest T1547.009 -TestNumbers 2 T1134.001 - 1,Invoke-AtomicTest T1134.001 -TestNumbers 1 T1134.001 - 2,Invoke-AtomicTest T1134.001 -TestNumbers 2 T1134.001 - 3,Invoke-AtomicTest T1134.001 -TestNumbers 3 T1134.001 - 4,Invoke-AtomicTest T1134.001 -TestNumbers 4 T1134.001 - 5,Invoke-AtomicTest T1134.001 -TestNumbers 5 T1546.003 - 1,Invoke-AtomicTest T1546.003 -TestNumbers 1 T1546.003 - 2,Invoke-AtomicTest T1546.003 -TestNumbers 2 T1546.003 - 3,Invoke-AtomicTest T1546.003 -TestNumbers 3 T1543.003 - 1,Invoke-AtomicTest T1543.003 -TestNumbers 1 T1543.003 - 2,Invoke-AtomicTest T1543.003 -TestNumbers 2 T1543.003 - 3,Invoke-AtomicTest T1543.003 -TestNumbers 3 T1543.003 - 4,Invoke-AtomicTest T1543.003 -TestNumbers 4 T1543.003 - 5,Invoke-AtomicTest T1543.003 -TestNumbers 5 T1543.003 - 6,Invoke-AtomicTest T1543.003 -TestNumbers 6 T1547.004 - 1,Invoke-AtomicTest T1547.004 -TestNumbers 1 T1547.004 - 2,Invoke-AtomicTest T1547.004 -TestNumbers 2 T1547.004 - 3,Invoke-AtomicTest T1547.004 -TestNumbers 3 T1547.004 - 4,Invoke-AtomicTest T1547.004 -TestNumbers 4 T1547.004 - 5,Invoke-AtomicTest T1547.004 -TestNumbers 5 T1197 - 1,Invoke-AtomicTest T1197 -TestNumbers 1 T1197 - 2,Invoke-AtomicTest T1197 -TestNumbers 2 T1197 - 3,Invoke-AtomicTest T1197 -TestNumbers 3 T1197 - 4,Invoke-AtomicTest T1197 -TestNumbers 4 T1218.003 - 1,Invoke-AtomicTest T1218.003 -TestNumbers 1 T1218.003 - 2,Invoke-AtomicTest T1218.003 -TestNumbers 2 T1070.003 - 10,Invoke-AtomicTest T1070.003 -TestNumbers 10 T1070.003 - 11,Invoke-AtomicTest T1070.003 -TestNumbers 11 T1070.001 - 1,Invoke-AtomicTest T1070.001 -TestNumbers 1 T1070.001 - 2,Invoke-AtomicTest T1070.001 -TestNumbers 2 T1070.001 - 3,Invoke-AtomicTest T1070.001 -TestNumbers 3 T1027.004 - 1,Invoke-AtomicTest T1027.004 -TestNumbers 1 T1027.004 - 2,Invoke-AtomicTest T1027.004 -TestNumbers 2 T1218.001 - 1,Invoke-AtomicTest T1218.001 -TestNumbers 1 T1218.001 - 2,Invoke-AtomicTest T1218.001 -TestNumbers 2 T1218.001 - 3,Invoke-AtomicTest T1218.001 -TestNumbers 3 T1218.001 - 4,Invoke-AtomicTest T1218.001 -TestNumbers 4 T1218.001 - 5,Invoke-AtomicTest T1218.001 -TestNumbers 5 T1218.001 - 6,Invoke-AtomicTest T1218.001 -TestNumbers 6 T1218.001 - 7,Invoke-AtomicTest T1218.001 -TestNumbers 7 T1218.002 - 1,Invoke-AtomicTest T1218.002 -TestNumbers 1 T1140 - 1,Invoke-AtomicTest T1140 -TestNumbers 1 T1140 - 2,Invoke-AtomicTest T1140 -TestNumbers 2 T1006 - 1,Invoke-AtomicTest T1006 -TestNumbers 1 T1562.002 - 1,Invoke-AtomicTest T1562.002 -TestNumbers 1 T1562.002 - 2,Invoke-AtomicTest T1562.002 -TestNumbers 2 T1562.002 - 3,Invoke-AtomicTest T1562.002 -TestNumbers 3 T1562.002 - 4,Invoke-AtomicTest T1562.002 -TestNumbers 4 T1562.002 - 5,Invoke-AtomicTest T1562.002 -TestNumbers 5 T1562.002 - 6,Invoke-AtomicTest T1562.002 -TestNumbers 6 T1562.002 - 7,Invoke-AtomicTest T1562.002 -TestNumbers 7 T1562.002 - 8,Invoke-AtomicTest T1562.002 -TestNumbers 8 T1562.002 - 9,Invoke-AtomicTest T1562.002 -TestNumbers 9 T1562.002 - 10,Invoke-AtomicTest T1562.002 -TestNumbers 10 T1562.004 - 1,Invoke-AtomicTest T1562.004 -TestNumbers 1 T1562.004 - 2,Invoke-AtomicTest T1562.004 -TestNumbers 2 T1562.004 - 3,Invoke-AtomicTest T1562.004 -TestNumbers 3 T1562.004 - 4,Invoke-AtomicTest T1562.004 -TestNumbers 4 T1562.004 - 5,Invoke-AtomicTest T1562.004 -TestNumbers 5 T1562.004 - 6,Invoke-AtomicTest T1562.004 -TestNumbers 6 T1562.004 - 20,Invoke-AtomicTest T1562.004 -TestNumbers 20 T1562.004 - 21,Invoke-AtomicTest T1562.004 -TestNumbers 21 T1562.004 - 22,Invoke-AtomicTest T1562.004 -TestNumbers 22 T1562.004 - 23,Invoke-AtomicTest T1562.004 -TestNumbers 23 T1562.004 - 24,Invoke-AtomicTest T1562.004 -TestNumbers 24 T1562.001 - 10,Invoke-AtomicTest T1562.001 -TestNumbers 10 T1562.001 - 11,Invoke-AtomicTest T1562.001 -TestNumbers 11 T1562.001 - 12,Invoke-AtomicTest T1562.001 -TestNumbers 12 T1562.001 - 13,Invoke-AtomicTest T1562.001 -TestNumbers 13 T1562.001 - 14,Invoke-AtomicTest T1562.001 -TestNumbers 14 T1562.001 - 15,Invoke-AtomicTest T1562.001 -TestNumbers 15 T1562.001 - 16,Invoke-AtomicTest T1562.001 -TestNumbers 16 T1562.001 - 17,Invoke-AtomicTest T1562.001 -TestNumbers 17 T1562.001 - 18,Invoke-AtomicTest T1562.001 -TestNumbers 18 T1562.001 - 19,Invoke-AtomicTest T1562.001 -TestNumbers 19 T1562.001 - 20,Invoke-AtomicTest T1562.001 -TestNumbers 20 T1562.001 - 21,Invoke-AtomicTest T1562.001 -TestNumbers 21 T1562.001 - 22,Invoke-AtomicTest T1562.001 -TestNumbers 22 T1562.001 - 23,Invoke-AtomicTest T1562.001 -TestNumbers 23 T1562.001 - 24,Invoke-AtomicTest T1562.001 -TestNumbers 24 T1562.001 - 25,Invoke-AtomicTest T1562.001 -TestNumbers 25 T1562.001 - 26,Invoke-AtomicTest T1562.001 -TestNumbers 26 T1562.001 - 27,Invoke-AtomicTest T1562.001 -TestNumbers 27 T1562.001 - 28,Invoke-AtomicTest T1562.001 -TestNumbers 28 T1562.001 - 29,Invoke-AtomicTest T1562.001 -TestNumbers 29 T1562.001 - 30,Invoke-AtomicTest T1562.001 -TestNumbers 30 T1562.001 - 31,Invoke-AtomicTest T1562.001 -TestNumbers 31 T1562.001 - 32,Invoke-AtomicTest T1562.001 -TestNumbers 32 T1562.001 - 33,Invoke-AtomicTest T1562.001 -TestNumbers 33 T1562.001 - 34,Invoke-AtomicTest T1562.001 -TestNumbers 34 T1562.001 - 35,Invoke-AtomicTest T1562.001 -TestNumbers 35 T1562.001 - 36,Invoke-AtomicTest T1562.001 -TestNumbers 36 T1562.001 - 37,Invoke-AtomicTest T1562.001 -TestNumbers 37 T1562.001 - 38,Invoke-AtomicTest T1562.001 -TestNumbers 38 T1562.001 - 39,Invoke-AtomicTest T1562.001 -TestNumbers 39 T1562.001 - 40,Invoke-AtomicTest T1562.001 -TestNumbers 40 T1562.001 - 41,Invoke-AtomicTest T1562.001 -TestNumbers 41 T1562.001 - 42,Invoke-AtomicTest T1562.001 -TestNumbers 42 T1562.001 - 43,Invoke-AtomicTest T1562.001 -TestNumbers 43 T1562.001 - 44,Invoke-AtomicTest T1562.001 -TestNumbers 44 T1562.001 - 45,Invoke-AtomicTest T1562.001 -TestNumbers 45 T1562.001 - 46,Invoke-AtomicTest T1562.001 -TestNumbers 46 T1562.001 - 47,Invoke-AtomicTest T1562.001 -TestNumbers 47 T1562.001 - 48,Invoke-AtomicTest T1562.001 -TestNumbers 48 T1562.001 - 49,Invoke-AtomicTest T1562.001 -TestNumbers 49 T1562.001 - 50,Invoke-AtomicTest T1562.001 -TestNumbers 50 T1562.001 - 51,Invoke-AtomicTest T1562.001 -TestNumbers 51 T1562.001 - 52,Invoke-AtomicTest T1562.001 -TestNumbers 52 T1562.001 - 53,Invoke-AtomicTest T1562.001 -TestNumbers 53 T1562.001 - 54,Invoke-AtomicTest T1562.001 -TestNumbers 54 T1562.001 - 55,Invoke-AtomicTest T1562.001 -TestNumbers 55 T1562.001 - 56,Invoke-AtomicTest T1562.001 -TestNumbers 56 T1562.001 - 57,Invoke-AtomicTest T1562.001 -TestNumbers 57 T1070.004 - 4,Invoke-AtomicTest T1070.004 -TestNumbers 4 T1070.004 - 5,Invoke-AtomicTest T1070.004 -TestNumbers 5 T1070.004 - 6,Invoke-AtomicTest T1070.004 -TestNumbers 6 T1070.004 - 7,Invoke-AtomicTest T1070.004 -TestNumbers 7 T1070.004 - 9,Invoke-AtomicTest T1070.004 -TestNumbers 9 T1070.004 - 10,Invoke-AtomicTest T1070.004 -TestNumbers 10 T1564.001 - 3,Invoke-AtomicTest T1564.001 -TestNumbers 3 T1564.001 - 4,Invoke-AtomicTest T1564.001 -TestNumbers 4 T1564.001 - 8,Invoke-AtomicTest T1564.001 -TestNumbers 8 T1564.001 - 9,Invoke-AtomicTest T1564.001 -TestNumbers 9 T1564.001 - 10,Invoke-AtomicTest T1564.001 -TestNumbers 10 T1564.003 - 1,Invoke-AtomicTest T1564.003 -TestNumbers 1 T1564.003 - 2,Invoke-AtomicTest T1564.003 -TestNumbers 2 T1564.003 - 3,Invoke-AtomicTest T1564.003 -TestNumbers 3 T1564 - 1,Invoke-AtomicTest T1564 -TestNumbers 1 T1564 - 2,Invoke-AtomicTest T1564 -TestNumbers 2 T1564 - 3,Invoke-AtomicTest T1564 -TestNumbers 3 T1564 - 4,Invoke-AtomicTest T1564 -TestNumbers 4 T1564 - 5,Invoke-AtomicTest T1564 -TestNumbers 5 T1070 - 1,Invoke-AtomicTest T1070 -TestNumbers 1 T1202 - 1,Invoke-AtomicTest T1202 -TestNumbers 1 T1202 - 2,Invoke-AtomicTest T1202 -TestNumbers 2 T1202 - 3,Invoke-AtomicTest T1202 -TestNumbers 3 T1202 - 4,Invoke-AtomicTest T1202 -TestNumbers 4 T1202 - 5,Invoke-AtomicTest T1202 -TestNumbers 5 T1553.004 - 5,Invoke-AtomicTest T1553.004 -TestNumbers 5 T1553.004 - 6,Invoke-AtomicTest T1553.004 -TestNumbers 6 T1553.004 - 7,Invoke-AtomicTest T1553.004 -TestNumbers 7 T1218.004 - 1,Invoke-AtomicTest T1218.004 -TestNumbers 1 T1218.004 - 2,Invoke-AtomicTest T1218.004 -TestNumbers 2 T1218.004 - 3,Invoke-AtomicTest T1218.004 -TestNumbers 3 T1218.004 - 4,Invoke-AtomicTest T1218.004 -TestNumbers 4 T1218.004 - 5,Invoke-AtomicTest T1218.004 -TestNumbers 5 T1218.004 - 6,Invoke-AtomicTest T1218.004 -TestNumbers 6 T1218.004 - 7,Invoke-AtomicTest T1218.004 -TestNumbers 7 T1218.004 - 8,Invoke-AtomicTest T1218.004 -TestNumbers 8 T1127.001 - 1,Invoke-AtomicTest T1127.001 -TestNumbers 1 T1127.001 - 2,Invoke-AtomicTest T1127.001 -TestNumbers 2 T1553.005 - 1,Invoke-AtomicTest T1553.005 -TestNumbers 1 T1553.005 - 2,Invoke-AtomicTest T1553.005 -TestNumbers 2 T1553.005 - 3,Invoke-AtomicTest T1553.005 -TestNumbers 3 T1553.005 - 4,Invoke-AtomicTest T1553.005 -TestNumbers 4 T1036.004 - 1,Invoke-AtomicTest T1036.004 -TestNumbers 1 T1036.004 - 2,Invoke-AtomicTest T1036.004 -TestNumbers 2 T1036 - 1,Invoke-AtomicTest T1036 -TestNumbers 1 T1112 - 1,Invoke-AtomicTest T1112 -TestNumbers 1 T1112 - 2,Invoke-AtomicTest T1112 -TestNumbers 2 T1112 - 3,Invoke-AtomicTest T1112 -TestNumbers 3 T1112 - 4,Invoke-AtomicTest T1112 -TestNumbers 4 T1112 - 5,Invoke-AtomicTest T1112 -TestNumbers 5 T1112 - 6,Invoke-AtomicTest T1112 -TestNumbers 6 T1112 - 7,Invoke-AtomicTest T1112 -TestNumbers 7 T1112 - 8,Invoke-AtomicTest T1112 -TestNumbers 8 T1112 - 9,Invoke-AtomicTest T1112 -TestNumbers 9 T1112 - 10,Invoke-AtomicTest T1112 -TestNumbers 10 T1112 - 11,Invoke-AtomicTest T1112 -TestNumbers 11 T1112 - 12,Invoke-AtomicTest T1112 -TestNumbers 12 T1112 - 13,Invoke-AtomicTest T1112 -TestNumbers 13 T1112 - 14,Invoke-AtomicTest T1112 -TestNumbers 14 T1112 - 15,Invoke-AtomicTest T1112 -TestNumbers 15 T1112 - 16,Invoke-AtomicTest T1112 -TestNumbers 16 T1112 - 17,Invoke-AtomicTest T1112 -TestNumbers 17 T1112 - 18,Invoke-AtomicTest T1112 -TestNumbers 18 T1112 - 19,Invoke-AtomicTest T1112 -TestNumbers 19 T1112 - 20,Invoke-AtomicTest T1112 -TestNumbers 20 T1112 - 21,Invoke-AtomicTest T1112 -TestNumbers 21 T1112 - 22,Invoke-AtomicTest T1112 -TestNumbers 22 T1112 - 23,Invoke-AtomicTest T1112 -TestNumbers 23 T1112 - 24,Invoke-AtomicTest T1112 -TestNumbers 24 T1112 - 25,Invoke-AtomicTest T1112 -TestNumbers 25 T1112 - 26,Invoke-AtomicTest T1112 -TestNumbers 26 T1112 - 27,Invoke-AtomicTest T1112 -TestNumbers 27 T1112 - 28,Invoke-AtomicTest T1112 -TestNumbers 28 T1112 - 29,Invoke-AtomicTest T1112 -TestNumbers 29 T1112 - 30,Invoke-AtomicTest T1112 -TestNumbers 30 T1112 - 31,Invoke-AtomicTest T1112 -TestNumbers 31 T1112 - 32,Invoke-AtomicTest T1112 -TestNumbers 32 T1112 - 33,Invoke-AtomicTest T1112 -TestNumbers 33 T1112 - 34,Invoke-AtomicTest T1112 -TestNumbers 34 T1112 - 35,Invoke-AtomicTest T1112 -TestNumbers 35 T1112 - 36,Invoke-AtomicTest T1112 -TestNumbers 36 T1112 - 37,Invoke-AtomicTest T1112 -TestNumbers 37 T1112 - 38,Invoke-AtomicTest T1112 -TestNumbers 38 T1112 - 39,Invoke-AtomicTest T1112 -TestNumbers 39 T1112 - 40,Invoke-AtomicTest T1112 -TestNumbers 40 T1112 - 41,Invoke-AtomicTest T1112 -TestNumbers 41 T1112 - 42,Invoke-AtomicTest T1112 -TestNumbers 42 T1112 - 43,Invoke-AtomicTest T1112 -TestNumbers 43 T1112 - 44,Invoke-AtomicTest T1112 -TestNumbers 44 T1112 - 45,Invoke-AtomicTest T1112 -TestNumbers 45 T1112 - 46,Invoke-AtomicTest T1112 -TestNumbers 46 T1112 - 47,Invoke-AtomicTest T1112 -TestNumbers 47 T1112 - 48,Invoke-AtomicTest T1112 -TestNumbers 48 T1112 - 49,Invoke-AtomicTest T1112 -TestNumbers 49 T1112 - 50,Invoke-AtomicTest T1112 -TestNumbers 50 T1112 - 51,Invoke-AtomicTest T1112 -TestNumbers 51 T1112 - 52,Invoke-AtomicTest T1112 -TestNumbers 52 T1112 - 53,Invoke-AtomicTest T1112 -TestNumbers 53 T1112 - 54,Invoke-AtomicTest T1112 -TestNumbers 54 T1112 - 55,Invoke-AtomicTest T1112 -TestNumbers 55 T1112 - 56,Invoke-AtomicTest T1112 -TestNumbers 56 T1112 - 57,Invoke-AtomicTest T1112 -TestNumbers 57 T1112 - 58,Invoke-AtomicTest T1112 -TestNumbers 58 T1112 - 59,Invoke-AtomicTest T1112 -TestNumbers 59 T1112 - 60,Invoke-AtomicTest T1112 -TestNumbers 60 T1112 - 61,Invoke-AtomicTest T1112 -TestNumbers 61 T1112 - 62,Invoke-AtomicTest T1112 -TestNumbers 62 T1112 - 63,Invoke-AtomicTest T1112 -TestNumbers 63 T1112 - 64,Invoke-AtomicTest T1112 -TestNumbers 64 T1112 - 65,Invoke-AtomicTest T1112 -TestNumbers 65 T1112 - 66,Invoke-AtomicTest T1112 -TestNumbers 66 T1112 - 67,Invoke-AtomicTest T1112 -TestNumbers 67 T1112 - 68,Invoke-AtomicTest T1112 -TestNumbers 68 T1112 - 69,Invoke-AtomicTest T1112 -TestNumbers 69 T1112 - 70,Invoke-AtomicTest T1112 -TestNumbers 70 T1112 - 71,Invoke-AtomicTest T1112 -TestNumbers 71 T1112 - 72,Invoke-AtomicTest T1112 -TestNumbers 72 T1112 - 73,Invoke-AtomicTest T1112 -TestNumbers 73 T1112 - 74,Invoke-AtomicTest T1112 -TestNumbers 74 T1112 - 75,Invoke-AtomicTest T1112 -TestNumbers 75 T1112 - 76,Invoke-AtomicTest T1112 -TestNumbers 76 T1112 - 77,Invoke-AtomicTest T1112 -TestNumbers 77 T1112 - 78,Invoke-AtomicTest T1112 -TestNumbers 78 T1112 - 79,Invoke-AtomicTest T1112 -TestNumbers 79 T1112 - 80,Invoke-AtomicTest T1112 -TestNumbers 80 T1112 - 81,Invoke-AtomicTest T1112 -TestNumbers 81 T1112 - 82,Invoke-AtomicTest T1112 -TestNumbers 82 T1112 - 83,Invoke-AtomicTest T1112 -TestNumbers 83 T1112 - 84,Invoke-AtomicTest T1112 -TestNumbers 84 T1112 - 85,Invoke-AtomicTest T1112 -TestNumbers 85 T1112 - 86,Invoke-AtomicTest T1112 -TestNumbers 86 T1112 - 87,Invoke-AtomicTest T1112 -TestNumbers 87 T1112 - 88,Invoke-AtomicTest T1112 -TestNumbers 88 T1112 - 89,Invoke-AtomicTest T1112 -TestNumbers 89 T1112 - 90,Invoke-AtomicTest T1112 -TestNumbers 90 T1218.005 - 1,Invoke-AtomicTest T1218.005 -TestNumbers 1 T1218.005 - 2,Invoke-AtomicTest T1218.005 -TestNumbers 2 T1218.005 - 3,Invoke-AtomicTest T1218.005 -TestNumbers 3 T1218.005 - 4,Invoke-AtomicTest T1218.005 -TestNumbers 4 T1218.005 - 5,Invoke-AtomicTest T1218.005 -TestNumbers 5 T1218.005 - 6,Invoke-AtomicTest T1218.005 -TestNumbers 6 T1218.005 - 7,Invoke-AtomicTest T1218.005 -TestNumbers 7 T1218.005 - 8,Invoke-AtomicTest T1218.005 -TestNumbers 8 T1218.005 - 9,Invoke-AtomicTest T1218.005 -TestNumbers 9 T1218.005 - 10,Invoke-AtomicTest T1218.005 -TestNumbers 10 T1218.007 - 1,Invoke-AtomicTest T1218.007 -TestNumbers 1 T1218.007 - 2,Invoke-AtomicTest T1218.007 -TestNumbers 2 T1218.007 - 3,Invoke-AtomicTest T1218.007 -TestNumbers 3 T1218.007 - 4,Invoke-AtomicTest T1218.007 -TestNumbers 4 T1218.007 - 5,Invoke-AtomicTest T1218.007 -TestNumbers 5 T1218.007 - 6,Invoke-AtomicTest T1218.007 -TestNumbers 6 T1218.007 - 7,Invoke-AtomicTest T1218.007 -TestNumbers 7 T1218.007 - 8,Invoke-AtomicTest T1218.007 -TestNumbers 8 T1218.007 - 9,Invoke-AtomicTest T1218.007 -TestNumbers 9 T1218.007 - 10,Invoke-AtomicTest T1218.007 -TestNumbers 10 T1218.007 - 11,Invoke-AtomicTest T1218.007 -TestNumbers 11 T1564.004 - 1,Invoke-AtomicTest T1564.004 -TestNumbers 1 T1564.004 - 2,Invoke-AtomicTest T1564.004 -TestNumbers 2 T1564.004 - 3,Invoke-AtomicTest T1564.004 -TestNumbers 3 T1564.004 - 4,Invoke-AtomicTest T1564.004 -TestNumbers 4 T1564.004 - 5,Invoke-AtomicTest T1564.004 -TestNumbers 5 T1070.005 - 1,Invoke-AtomicTest T1070.005 -TestNumbers 1 T1070.005 - 2,Invoke-AtomicTest T1070.005 -TestNumbers 2 T1070.005 - 3,Invoke-AtomicTest T1070.005 -TestNumbers 3 T1070.005 - 4,Invoke-AtomicTest T1070.005 -TestNumbers 4 T1070.005 - 5,Invoke-AtomicTest T1070.005 -TestNumbers 5 T1027 - 2,Invoke-AtomicTest T1027 -TestNumbers 2 T1027 - 3,Invoke-AtomicTest T1027 -TestNumbers 3 T1027 - 4,Invoke-AtomicTest T1027 -TestNumbers 4 T1027 - 5,Invoke-AtomicTest T1027 -TestNumbers 5 T1027 - 6,Invoke-AtomicTest T1027 -TestNumbers 6 T1027 - 7,Invoke-AtomicTest T1027 -TestNumbers 7 T1027 - 8,Invoke-AtomicTest T1027 -TestNumbers 8 T1218.008 - 1,Invoke-AtomicTest T1218.008 -TestNumbers 1 T1218.008 - 2,Invoke-AtomicTest T1218.008 -TestNumbers 2 T1550.002 - 1,Invoke-AtomicTest T1550.002 -TestNumbers 1 T1550.002 - 2,Invoke-AtomicTest T1550.002 -TestNumbers 2 T1550.002 - 3,Invoke-AtomicTest T1550.002 -TestNumbers 3 T1550.003 - 1,Invoke-AtomicTest T1550.003 -TestNumbers 1 T1550.003 - 2,Invoke-AtomicTest T1550.003 -TestNumbers 2 T1216.001 - 1,Invoke-AtomicTest T1216.001 -TestNumbers 1 T1218.009 - 1,Invoke-AtomicTest T1218.009 -TestNumbers 1 T1218.009 - 2,Invoke-AtomicTest T1218.009 -TestNumbers 2 T1218.010 - 1,Invoke-AtomicTest T1218.010 -TestNumbers 1 T1218.010 - 2,Invoke-AtomicTest T1218.010 -TestNumbers 2 T1218.010 - 3,Invoke-AtomicTest T1218.010 -TestNumbers 3 T1218.010 - 4,Invoke-AtomicTest T1218.010 -TestNumbers 4 T1218.010 - 5,Invoke-AtomicTest T1218.010 -TestNumbers 5 T1036.003 - 1,Invoke-AtomicTest T1036.003 -TestNumbers 1 T1036.003 - 3,Invoke-AtomicTest T1036.003 -TestNumbers 3 T1036.003 - 4,Invoke-AtomicTest T1036.003 -TestNumbers 4 T1036.003 - 5,Invoke-AtomicTest T1036.003 -TestNumbers 5 T1036.003 - 6,Invoke-AtomicTest T1036.003 -TestNumbers 6 T1036.003 - 7,Invoke-AtomicTest T1036.003 -TestNumbers 7 T1036.003 - 8,Invoke-AtomicTest T1036.003 -TestNumbers 8 T1036.003 - 9,Invoke-AtomicTest T1036.003 -TestNumbers 9 T1207 - 1,Invoke-AtomicTest T1207 -TestNumbers 1 T1014 - 3,Invoke-AtomicTest T1014 -TestNumbers 3 T1218.011 - 1,Invoke-AtomicTest T1218.011 -TestNumbers 1 T1218.011 - 2,Invoke-AtomicTest T1218.011 -TestNumbers 2 T1218.011 - 3,Invoke-AtomicTest T1218.011 -TestNumbers 3 T1218.011 - 4,Invoke-AtomicTest T1218.011 -TestNumbers 4 T1218.011 - 5,Invoke-AtomicTest T1218.011 -TestNumbers 5 T1218.011 - 6,Invoke-AtomicTest T1218.011 -TestNumbers 6 T1218.011 - 7,Invoke-AtomicTest T1218.011 -TestNumbers 7 T1218.011 - 8,Invoke-AtomicTest T1218.011 -TestNumbers 8 T1218.011 - 10,Invoke-AtomicTest T1218.011 -TestNumbers 10 T1218.011 - 11,Invoke-AtomicTest T1218.011 -TestNumbers 11 T1218.011 - 12,Invoke-AtomicTest T1218.011 -TestNumbers 12 T1218.011 - 13,Invoke-AtomicTest T1218.011 -TestNumbers 13 T1218.011 - 14,Invoke-AtomicTest T1218.011 -TestNumbers 14 T1218.011 - 15,Invoke-AtomicTest T1218.011 -TestNumbers 15 T1218.011 - 16,Invoke-AtomicTest T1218.011 -TestNumbers 16 T1218 - 1,Invoke-AtomicTest T1218 -TestNumbers 1 T1218 - 2,Invoke-AtomicTest T1218 -TestNumbers 2 T1218 - 3,Invoke-AtomicTest T1218 -TestNumbers 3 T1218 - 4,Invoke-AtomicTest T1218 -TestNumbers 4 T1218 - 5,Invoke-AtomicTest T1218 -TestNumbers 5 T1218 - 6,Invoke-AtomicTest T1218 -TestNumbers 6 T1218 - 7,Invoke-AtomicTest T1218 -TestNumbers 7 T1218 - 8,Invoke-AtomicTest T1218 -TestNumbers 8 T1216 - 1,Invoke-AtomicTest T1216 -TestNumbers 1 T1216 - 2,Invoke-AtomicTest T1216 -TestNumbers 2 T1497.001 - 3,Invoke-AtomicTest T1497.001 -TestNumbers 3 T1497.001 - 5,Invoke-AtomicTest T1497.001 -TestNumbers 5 T1221 - 1,Invoke-AtomicTest T1221 -TestNumbers 1 T1070.006 - 5,Invoke-AtomicTest T1070.006 -TestNumbers 5 T1070.006 - 6,Invoke-AtomicTest T1070.006 -TestNumbers 6 T1070.006 - 7,Invoke-AtomicTest T1070.006 -TestNumbers 7 T1070.006 - 8,Invoke-AtomicTest T1070.006 -TestNumbers 8 T1222.001 - 1,Invoke-AtomicTest T1222.001 -TestNumbers 1 T1222.001 - 2,Invoke-AtomicTest T1222.001 -TestNumbers 2 T1222.001 - 3,Invoke-AtomicTest T1222.001 -TestNumbers 3 T1222.001 - 4,Invoke-AtomicTest T1222.001 -TestNumbers 4 T1222.001 - 5,Invoke-AtomicTest T1222.001 -TestNumbers 5 T1222.001 - 6,Invoke-AtomicTest T1222.001 -TestNumbers 6 T1220 - 1,Invoke-AtomicTest T1220 -TestNumbers 1 T1220 - 2,Invoke-AtomicTest T1220 -TestNumbers 2 T1220 - 3,Invoke-AtomicTest T1220 -TestNumbers 3 T1220 - 4,Invoke-AtomicTest T1220 -TestNumbers 4 T1098 - 1,Invoke-AtomicTest T1098 -TestNumbers 1 T1098 - 2,Invoke-AtomicTest T1098 -TestNumbers 2 T1098 - 9,Invoke-AtomicTest T1098 -TestNumbers 9 T1098 - 10,Invoke-AtomicTest T1098 -TestNumbers 10 T1098 - 11,Invoke-AtomicTest T1098 -TestNumbers 11 T1098 - 12,Invoke-AtomicTest T1098 -TestNumbers 12 T1098 - 13,Invoke-AtomicTest T1098 -TestNumbers 13 T1098 - 14,Invoke-AtomicTest T1098 -TestNumbers 14 T1098 - 15,Invoke-AtomicTest T1098 -TestNumbers 15 T1098 - 16,Invoke-AtomicTest T1098 -TestNumbers 16 T1137.006 - 1,Invoke-AtomicTest T1137.006 -TestNumbers 1 T1137.006 - 2,Invoke-AtomicTest T1137.006 -TestNumbers 2 T1137.006 - 3,Invoke-AtomicTest T1137.006 -TestNumbers 3 T1137.006 - 4,Invoke-AtomicTest T1137.006 -TestNumbers 4 T1137.006 - 5,Invoke-AtomicTest T1137.006 -TestNumbers 5 T1176 - 1,Invoke-AtomicTest T1176 -TestNumbers 1 T1176 - 2,Invoke-AtomicTest T1176 -TestNumbers 2 T1176 - 3,Invoke-AtomicTest T1176 -TestNumbers 3 T1176 - 4,Invoke-AtomicTest T1176 -TestNumbers 4 T1176 - 5,Invoke-AtomicTest T1176 -TestNumbers 5 T1136.002 - 1,Invoke-AtomicTest T1136.002 -TestNumbers 1 T1136.002 - 2,Invoke-AtomicTest T1136.002 -TestNumbers 2 T1136.002 - 3,Invoke-AtomicTest T1136.002 -TestNumbers 3 T1133 - 1,Invoke-AtomicTest T1133 -TestNumbers 1 T1136.001 - 4,Invoke-AtomicTest T1136.001 -TestNumbers 4 T1136.001 - 5,Invoke-AtomicTest T1136.001 -TestNumbers 5 T1136.001 - 8,Invoke-AtomicTest T1136.001 -TestNumbers 8 T1136.001 - 9,Invoke-AtomicTest T1136.001 -TestNumbers 9 T1137 - 1,Invoke-AtomicTest T1137 -TestNumbers 1 T1137.002 - 1,Invoke-AtomicTest T1137.002 -TestNumbers 1 T1137.004 - 1,Invoke-AtomicTest T1137.004 -TestNumbers 1 T1505.002 - 1,Invoke-AtomicTest T1505.002 -TestNumbers 1 T1505.003 - 1,Invoke-AtomicTest T1505.003 -TestNumbers 1 T1531 - 1,Invoke-AtomicTest T1531 -TestNumbers 1 T1531 - 2,Invoke-AtomicTest T1531 -TestNumbers 2 T1531 - 3,Invoke-AtomicTest T1531 -TestNumbers 3 T1485 - 1,Invoke-AtomicTest T1485 -TestNumbers 1 T1485 - 3,Invoke-AtomicTest T1485 -TestNumbers 3 T1485 - 5,Invoke-AtomicTest T1485 -TestNumbers 5 T1486 - 5,Invoke-AtomicTest T1486 -TestNumbers 5 T1486 - 8,Invoke-AtomicTest T1486 -TestNumbers 8 T1486 - 9,Invoke-AtomicTest T1486 -TestNumbers 9 T1486 - 10,Invoke-AtomicTest T1486 -TestNumbers 10 T1490 - 1,Invoke-AtomicTest T1490 -TestNumbers 1 T1490 - 2,Invoke-AtomicTest T1490 -TestNumbers 2 T1490 - 3,Invoke-AtomicTest T1490 -TestNumbers 3 T1490 - 4,Invoke-AtomicTest T1490 -TestNumbers 4 T1490 - 5,Invoke-AtomicTest T1490 -TestNumbers 5 T1490 - 6,Invoke-AtomicTest T1490 -TestNumbers 6 T1490 - 7,Invoke-AtomicTest T1490 -TestNumbers 7 T1490 - 8,Invoke-AtomicTest T1490 -TestNumbers 8 T1490 - 9,Invoke-AtomicTest T1490 -TestNumbers 9 T1490 - 10,Invoke-AtomicTest T1490 -TestNumbers 10 T1490 - 11,Invoke-AtomicTest T1490 -TestNumbers 11 T1491.001 - 1,Invoke-AtomicTest T1491.001 -TestNumbers 1 T1491.001 - 2,Invoke-AtomicTest T1491.001 -TestNumbers 2 T1491.001 - 3,Invoke-AtomicTest T1491.001 -TestNumbers 3 T1489 - 1,Invoke-AtomicTest T1489 -TestNumbers 1 T1489 - 2,Invoke-AtomicTest T1489 -TestNumbers 2 T1489 - 3,Invoke-AtomicTest T1489 -TestNumbers 3 T1529 - 1,Invoke-AtomicTest T1529 -TestNumbers 1 T1529 - 2,Invoke-AtomicTest T1529 -TestNumbers 2 T1529 - 12,Invoke-AtomicTest T1529 -TestNumbers 12 T1529 - 13,Invoke-AtomicTest T1529 -TestNumbers 13 T1529 - 14,Invoke-AtomicTest T1529 -TestNumbers 14 T1529 - 15,Invoke-AtomicTest T1529 -TestNumbers 15 T1010 - 1,Invoke-AtomicTest T1010 -TestNumbers 1 T1217 - 5,Invoke-AtomicTest T1217 -TestNumbers 5 T1217 - 6,Invoke-AtomicTest T1217 -TestNumbers 6 T1217 - 7,Invoke-AtomicTest T1217 -TestNumbers 7 T1217 - 8,Invoke-AtomicTest T1217 -TestNumbers 8 T1217 - 10,Invoke-AtomicTest T1217 -TestNumbers 10 T1217 - 11,Invoke-AtomicTest T1217 -TestNumbers 11 T1087.002 - 1,Invoke-AtomicTest T1087.002 -TestNumbers 1 T1087.002 - 2,Invoke-AtomicTest T1087.002 -TestNumbers 2 T1087.002 - 3,Invoke-AtomicTest T1087.002 -TestNumbers 3 T1087.002 - 4,Invoke-AtomicTest T1087.002 -TestNumbers 4 T1087.002 - 5,Invoke-AtomicTest T1087.002 -TestNumbers 5 T1087.002 - 6,Invoke-AtomicTest T1087.002 -TestNumbers 6 T1087.002 - 7,Invoke-AtomicTest T1087.002 -TestNumbers 7 T1087.002 - 8,Invoke-AtomicTest T1087.002 -TestNumbers 8 T1087.002 - 9,Invoke-AtomicTest T1087.002 -TestNumbers 9 T1087.002 - 10,Invoke-AtomicTest T1087.002 -TestNumbers 10 T1087.002 - 11,Invoke-AtomicTest T1087.002 -TestNumbers 11 T1087.002 - 12,Invoke-AtomicTest T1087.002 -TestNumbers 12 T1087.002 - 13,Invoke-AtomicTest T1087.002 -TestNumbers 13 T1087.002 - 14,Invoke-AtomicTest T1087.002 -TestNumbers 14 T1087.002 - 15,Invoke-AtomicTest T1087.002 -TestNumbers 15 T1087.002 - 16,Invoke-AtomicTest T1087.002 -TestNumbers 16 T1087.002 - 17,Invoke-AtomicTest T1087.002 -TestNumbers 17 T1087.002 - 18,Invoke-AtomicTest T1087.002 -TestNumbers 18 T1087.002 - 22,Invoke-AtomicTest T1087.002 -TestNumbers 19 T1087.002 - 20,Invoke-AtomicTest T1087.002 -TestNumbers 20 T1087.002 - 21,Invoke-AtomicTest T1087.002 -TestNumbers 21 T1087.002 - 22,Invoke-AtomicTest T1087.002 -TestNumbers 22 T1069.002 - 1,Invoke-AtomicTest T1069.002 -TestNumbers 1 T1069.002 - 2,Invoke-AtomicTest T1069.002 -TestNumbers 2 T1069.002 - 3,Invoke-AtomicTest T1069.002 -TestNumbers 3 T1069.002 - 4,Invoke-AtomicTest T1069.002 -TestNumbers 4 T1069.002 - 5,Invoke-AtomicTest T1069.002 -TestNumbers 5 T1069.002 - 6,Invoke-AtomicTest T1069.002 -TestNumbers 6 T1069.002 - 7,Invoke-AtomicTest T1069.002 -TestNumbers 7 T1069.002 - 8,Invoke-AtomicTest T1069.002 -TestNumbers 8 T1482 - 1,Invoke-AtomicTest T1482 -TestNumbers 1 T1482 - 2,Invoke-AtomicTest T1482 -TestNumbers 2 T1482 - 3,Invoke-AtomicTest T1482 -TestNumbers 3 T1482 - 4,Invoke-AtomicTest T1482 -TestNumbers 4 T1482 - 5,Invoke-AtomicTest T1482 -TestNumbers 5 T1482 - 6,Invoke-AtomicTest T1482 -TestNumbers 6 T1482 - 7,Invoke-AtomicTest T1482 -TestNumbers 7 T1083 - 1,Invoke-AtomicTest T1083 -TestNumbers 1 T1083 - 2,Invoke-AtomicTest T1083 -TestNumbers 2 T1083 - 5,Invoke-AtomicTest T1083 -TestNumbers 5 T1083 - 6,Invoke-AtomicTest T1083 -TestNumbers 6 T1083 - 7,Invoke-AtomicTest T1083 -TestNumbers 7 T1087.001 - 8,Invoke-AtomicTest T1087.001 -TestNumbers 8 T1087.001 - 9,Invoke-AtomicTest T1087.001 -TestNumbers 9 T1087.001 - 10,Invoke-AtomicTest T1087.001 -TestNumbers 10 T1069.001 - 2,Invoke-AtomicTest T1069.001 -TestNumbers 2 T1069.001 - 3,Invoke-AtomicTest T1069.001 -TestNumbers 3 T1069.001 - 4,Invoke-AtomicTest T1069.001 -TestNumbers 4 T1069.001 - 5,Invoke-AtomicTest T1069.001 -TestNumbers 5 T1069.001 - 6,Invoke-AtomicTest T1069.001 -TestNumbers 6 T1046 - 3,Invoke-AtomicTest T1046 -TestNumbers 3 T1046 - 4,Invoke-AtomicTest T1046 -TestNumbers 4 T1046 - 5,Invoke-AtomicTest T1046 -TestNumbers 5 T1046 - 6,Invoke-AtomicTest T1046 -TestNumbers 6 T1046 - 7,Invoke-AtomicTest T1046 -TestNumbers 7 T1046 - 8,Invoke-AtomicTest T1046 -TestNumbers 8 T1046 - 10,Invoke-AtomicTest T1046 -TestNumbers 10 T1046 - 11,Invoke-AtomicTest T1046 -TestNumbers 11 T1135 - 4,Invoke-AtomicTest T1135 -TestNumbers 4 T1135 - 5,Invoke-AtomicTest T1135 -TestNumbers 5 T1135 - 6,Invoke-AtomicTest T1135 -TestNumbers 6 T1135 - 7,Invoke-AtomicTest T1135 -TestNumbers 7 T1135 - 8,Invoke-AtomicTest T1135 -TestNumbers 8 T1135 - 9,Invoke-AtomicTest T1135 -TestNumbers 9 T1135 - 10,Invoke-AtomicTest T1135 -TestNumbers 10 T1135 - 11,Invoke-AtomicTest T1135 -TestNumbers 11 T1135 - 12,Invoke-AtomicTest T1135 -TestNumbers 12 T1201 - 5,Invoke-AtomicTest T1201 -TestNumbers 5 T1201 - 6,Invoke-AtomicTest T1201 -TestNumbers 6 T1120 - 1,Invoke-AtomicTest T1120 -TestNumbers 1 T1120 - 2,Invoke-AtomicTest T1120 -TestNumbers 2 T1120 - 3,Invoke-AtomicTest T1120 -TestNumbers 3 T1120 - 4,Invoke-AtomicTest T1120 -TestNumbers 4 T1057 - 2,Invoke-AtomicTest T1057 -TestNumbers 2 T1057 - 3,Invoke-AtomicTest T1057 -TestNumbers 3 T1057 - 4,Invoke-AtomicTest T1057 -TestNumbers 4 T1057 - 5,Invoke-AtomicTest T1057 -TestNumbers 5 T1057 - 6,Invoke-AtomicTest T1057 -TestNumbers 6 T1057 - 7,Invoke-AtomicTest T1057 -TestNumbers 7 T1057 - 8,Invoke-AtomicTest T1057 -TestNumbers 8 T1057 - 9,Invoke-AtomicTest T1057 -TestNumbers 9 T1012 - 1,Invoke-AtomicTest T1012 -TestNumbers 1 T1012 - 2,Invoke-AtomicTest T1012 -TestNumbers 2 T1012 - 3,Invoke-AtomicTest T1012 -TestNumbers 3 T1012 - 4,Invoke-AtomicTest T1012 -TestNumbers 4 T1012 - 5,Invoke-AtomicTest T1012 -TestNumbers 5 T1012 - 6,Invoke-AtomicTest T1012 -TestNumbers 6 T1018 - 1,Invoke-AtomicTest T1018 -TestNumbers 1 T1018 - 2,Invoke-AtomicTest T1018 -TestNumbers 2 T1018 - 3,Invoke-AtomicTest T1018 -TestNumbers 3 T1018 - 4,Invoke-AtomicTest T1018 -TestNumbers 4 T1018 - 5,Invoke-AtomicTest T1018 -TestNumbers 5 T1018 - 8,Invoke-AtomicTest T1018 -TestNumbers 8 T1018 - 9,Invoke-AtomicTest T1018 -TestNumbers 9 T1018 - 10,Invoke-AtomicTest T1018 -TestNumbers 10 T1018 - 11,Invoke-AtomicTest T1018 -TestNumbers 11 T1018 - 16,Invoke-AtomicTest T1018 -TestNumbers 16 T1018 - 17,Invoke-AtomicTest T1018 -TestNumbers 17 T1018 - 18,Invoke-AtomicTest T1018 -TestNumbers 18 T1018 - 19,Invoke-AtomicTest T1018 -TestNumbers 19 T1018 - 20,Invoke-AtomicTest T1018 -TestNumbers 20 T1018 - 21,Invoke-AtomicTest T1018 -TestNumbers 21 T1018 - 22,Invoke-AtomicTest T1018 -TestNumbers 22 T1518.001 - 1,Invoke-AtomicTest T1518.001 -TestNumbers 1 T1518.001 - 2,Invoke-AtomicTest T1518.001 -TestNumbers 2 T1518.001 - 5,Invoke-AtomicTest T1518.001 -TestNumbers 5 T1518.001 - 6,Invoke-AtomicTest T1518.001 -TestNumbers 6 T1518 - 1,Invoke-AtomicTest T1518 -TestNumbers 1 T1518 - 2,Invoke-AtomicTest T1518 -TestNumbers 2 T1082 - 1,Invoke-AtomicTest T1082 -TestNumbers 1 T1082 - 6,Invoke-AtomicTest T1082 -TestNumbers 6 T1082 - 8,Invoke-AtomicTest T1082 -TestNumbers 8 T1082 - 9,Invoke-AtomicTest T1082 -TestNumbers 9 T1082 - 10,Invoke-AtomicTest T1082 -TestNumbers 10. T1082 - 14,Invoke-AtomicTest T1082 -TestNumbers 14 T1082 - 15,Invoke-AtomicTest T1082 -TestNumbers 15 T1082 - 16,Invoke-AtomicTest T1082 -TestNumbers 16 T1082 - 17,Invoke-AtomicTest T1082 -TestNumbers 17 T1082 - 18,Invoke-AtomicTest T1082 -TestNumbers 18 T1082 - 19,Invoke-AtomicTest T1082 -TestNumbers 19 T1082 - 20,Invoke-AtomicTest T1082 -TestNumbers 20 T1082 - 21,Invoke-AtomicTest T1082 -TestNumbers 21 T1082 - 22,Invoke-AtomicTest T1082 -TestNumbers 22 T1082 - 23,Invoke-AtomicTest T1082 -TestNumbers 23 T1082 - 27,Invoke-AtomicTest T1082 -TestNumbers 27 T1082 - 28,Invoke-AtomicTest T1082 -TestNumbers 28 T1082 - 29,Invoke-AtomicTest T1082 -TestNumbers 29 T1082 - 30,Invoke-AtomicTest T1082 -TestNumbers 30 T1082 - 31,Invoke-AtomicTest T1082 -TestNumbers 31 T1082 - 32,Invoke-AtomicTest T1082 -TestNumbers 32 T1082 - 34,Invoke-AtomicTest T1082 -TestNumbers 34 T1082 - 35,Invoke-AtomicTest T1082 -TestNumbers 35 T1082 - 36,Invoke-AtomicTest T1082 -TestNumbers 36 T1082 - 37,Invoke-AtomicTest T1082 -TestNumbers 37 T1082 - 38,Invoke-AtomicTest T1082 -TestNumbers 38 T1082 - 39,Invoke-AtomicTest T1082 -TestNumbers 39 T1082 - 40,Invoke-AtomicTest T1082 -TestNumbers 40 T1016 - 1,Invoke-AtomicTest T1016 -TestNumbers 1 T1016 - 2,Invoke-AtomicTest T1016 -TestNumbers 2 T1016 - 4,Invoke-AtomicTest T1016 -TestNumbers 4 T1016 - 5,Invoke-AtomicTest T1016 -TestNumbers 5 T1016 - 6,Invoke-AtomicTest T1016 -TestNumbers 6 T1016 - 7,Invoke-AtomicTest T1016 -TestNumbers 7 T1049 - 1,Invoke-AtomicTest T1049 -TestNumbers 1 T1049 - 2,Invoke-AtomicTest T1049 -TestNumbers 2 T1049 - 4,Invoke-AtomicTest T1049 -TestNumbers 4 T1033 - 1,Invoke-AtomicTest T1033 -TestNumbers 1 T1033 - 3,Invoke-AtomicTest T1033 -TestNumbers 3 T1033 - 4,Invoke-AtomicTest T1033 -TestNumbers 4 T1033 - 5,Invoke-AtomicTest T1033 -TestNumbers 5 T1033 - 6,Invoke-AtomicTest T1033 -TestNumbers 6 T1033 - 7,Invoke-AtomicTest T1033 -TestNumbers 7 T1007 - 1,Invoke-AtomicTest T1007 -TestNumbers 1 T1007 - 2,Invoke-AtomicTest T1007 -TestNumbers 2 T1007 - 3,Invoke-AtomicTest T1007 -TestNumbers 3 T1124 - 1,Invoke-AtomicTest T1124 -TestNumbers 1 T1124 - 2,Invoke-AtomicTest T1124 -TestNumbers 2 T1124 - 4,Invoke-AtomicTest T1124 -TestNumbers 4 T1124 - 5,Invoke-AtomicTest T1124 -TestNumbers 5 T1124 - 6,Invoke-AtomicTest T1124 -TestNumbers 6 T1071.004 - 1,Invoke-AtomicTest T1071.004 -TestNumbers 1 T1071.004 - 2,Invoke-AtomicTest T1071.004 -TestNumbers 2 T1071.004 - 3,Invoke-AtomicTest T1071.004 -TestNumbers 3 T1071.004 - 4,Invoke-AtomicTest T1071.004 -TestNumbers 4 T1573 - 1,Invoke-AtomicTest T1573 -TestNumbers 1 T1105 - 7,Invoke-AtomicTest T1105 -TestNumbers 7 T1105 - 8,Invoke-AtomicTest T1105 -TestNumbers 8 T1105 - 9,Invoke-AtomicTest T1105 -TestNumbers 9 T1105 - 10,Invoke-AtomicTest T1105 -TestNumbers 10 T1105 - 11,Invoke-AtomicTest T1105 -TestNumbers 11 T1105 - 12,Invoke-AtomicTest T1105 -TestNumbers 12 T1105 - 13,Invoke-AtomicTest T1105 -TestNumbers 13 T1105 - 15,Invoke-AtomicTest T1105 -TestNumbers 15 T1105 - 16,Invoke-AtomicTest T1105 -TestNumbers 16 T1105 - 17,Invoke-AtomicTest T1105 -TestNumbers 17 T1105 - 18,Invoke-AtomicTest T1105 -TestNumbers 18 T1090.001 - 3,Invoke-AtomicTest T1090.001 -TestNumbers 3 T1095 - 1,Invoke-AtomicTest T1095 -TestNumbers 1 T1095 - 2,Invoke-AtomicTest T1095 -TestNumbers 2 T1095 - 3,Invoke-AtomicTest T1095 -TestNumbers 3 T1571 - 1,Invoke-AtomicTest T1571 -TestNumbers 1 T1572 - 1,Invoke-AtomicTest T1572 -TestNumbers 1 T1572 - 2,Invoke-AtomicTest T1572 -TestNumbers 2 T1572 - 3,Invoke-AtomicTest T1572 -TestNumbers 3 T1572 - 4,Invoke-AtomicTest T1572 -TestNumbers 4 T1219 - 1,Invoke-AtomicTest T1219 -TestNumbers 1 T1219 - 2,Invoke-AtomicTest T1219 -TestNumbers 2 T1219 - 3,Invoke-AtomicTest T1219 -TestNumbers 3 T1219 - 4,Invoke-AtomicTest T1219 -TestNumbers 4 T1219 - 5,Invoke-AtomicTest T1219 -TestNumbers 5 T1219 - 6,Invoke-AtomicTest T1219 -TestNumbers 6 T1219 - 7,Invoke-AtomicTest T1219 -TestNumbers 7 T1219 - 8,Invoke-AtomicTest T1219 -TestNumbers 8 T1219 - 9,Invoke-AtomicTest T1219 -TestNumbers 9 T1219 - 10,Invoke-AtomicTest T1219 -TestNumbers 10 T1219 - 11,Invoke-AtomicTest T1219 -TestNumbers 11 T1219 - 12,Invoke-AtomicTest T1219 -TestNumbers 12 T1219 - 13,Invoke-AtomicTest T1219 -TestNumbers 13 T1219 - 14,Invoke-AtomicTest T1219 -TestNumbers 14 T1219 - 15,Invoke-AtomicTest T1219 -TestNumbers 15 T1132.001 - 2,Invoke-AtomicTest T1132.001 -TestNumbers 2 T1071.001 - 1,Invoke-AtomicTest T1071.001 -TestNumbers 1 T1071.001 - 2,Invoke-AtomicTest T1071.001 -TestNumbers 2 T1559.002 - 1,Invoke-AtomicTest T1559.002 -TestNumbers 1 T1559.002 - 2,Invoke-AtomicTest T1559.002 -TestNumbers 2 T1559.002 - 3,Invoke-AtomicTest T1559.002 -TestNumbers 3 T1559 - 1,Invoke-AtomicTest T1559 -TestNumbers 1 T1559 - 2,Invoke-AtomicTest T1559 -TestNumbers 2 T1559 - 3,Invoke-AtomicTest T1559 -TestNumbers 3 T1559 - 4,Invoke-AtomicTest T1559 -TestNumbers 4 T1559 - 5,Invoke-AtomicTest T1559 -TestNumbers 5 T1204.002 - 1,Invoke-AtomicTest T1204.002 -TestNumbers 1 T1204.002 - 2,Invoke-AtomicTest T1204.002 -TestNumbers 2 T1204.002 - 3,Invoke-AtomicTest T1204.002 -TestNumbers 3 T1204.002 - 4,Invoke-AtomicTest T1204.002 -TestNumbers 4 T1204.002 - 5,Invoke-AtomicTest T1204.002 -TestNumbers 5 T1204.002 - 6,Invoke-AtomicTest T1204.002 -TestNumbers 6 T1204.002 - 7,Invoke-AtomicTest T1204.002 -TestNumbers 7 T1204.002 - 8,Invoke-AtomicTest T1204.002 -TestNumbers 8 T1204.002 - 9,Invoke-AtomicTest T1204.002 -TestNumbers 9 T1204.002 - 10,Invoke-AtomicTest T1204.002 -TestNumbers 10 T1204.002 - 11,Invoke-AtomicTest T1204.002 -TestNumbers 11 T1106 - 1,Invoke-AtomicTest T1106 -TestNumbers 1 T1106 - 2,Invoke-AtomicTest T1106 -TestNumbers 2 T1106 - 3,Invoke-AtomicTest T1106 -TestNumbers 3 T1106 - 4,Invoke-AtomicTest T1106 -TestNumbers 4 T1106 - 5,Invoke-AtomicTest T1106 -TestNumbers 5 T1059.001 - 1,Invoke-AtomicTest T1059.001 -TestNumbers 1 T1059.001 - 2,Invoke-AtomicTest T1059.001 -TestNumbers 2 T1059.001 - 3,Invoke-AtomicTest T1059.001 -TestNumbers 3 T1059.001 - 4,Invoke-AtomicTest T1059.001 -TestNumbers 4 T1059.001 - 5,Invoke-AtomicTest T1059.001 -TestNumbers 5 T1059.001 - 6,Invoke-AtomicTest T1059.001 -TestNumbers 6 T1059.001 - 7,Invoke-AtomicTest T1059.001 -TestNumbers 7 T1059.001 - 8,Invoke-AtomicTest T1059.001 -TestNumbers 8 T1059.001 - 9,Invoke-AtomicTest T1059.001 -TestNumbers 9 T1059.001 - 10,Invoke-AtomicTest T1059.001 -TestNumbers 10 T1059.001 - 11,Invoke-AtomicTest T1059.001 -TestNumbers 11 T1059.001 - 12,Invoke-AtomicTest T1059.001 -TestNumbers 12 T1059.001 - 13,Invoke-AtomicTest T1059.001 -TestNumbers 13 T1059.001 - 14,Invoke-AtomicTest T1059.001 -TestNumbers 14 T1059.001 - 15,Invoke-AtomicTest T1059.001 -TestNumbers 15 T1059.001 - 16,Invoke-AtomicTest T1059.001 -TestNumbers 16 T1059.001 - 17,Invoke-AtomicTest T1059.001 -TestNumbers 17 T1059.001 - 18,Invoke-AtomicTest T1059.001 -TestNumbers 18 T1059.001 - 19,Invoke-AtomicTest T1059.001 -TestNumbers 19 T1059.001 - 20,Invoke-AtomicTest T1059.001 -TestNumbers 20 T1059.001 - 21,Invoke-AtomicTest T1059.001 -TestNumbers 21 T1569.002 - 1,Invoke-AtomicTest T1569.002 -TestNumbers 1 T1569.002 - 2,Invoke-AtomicTest T1569.002 -TestNumbers 2 T1569.002 - 4,Invoke-AtomicTest T1569.002 -TestNumbers 4 T1569.002 - 5,Invoke-AtomicTest T1569.002 -TestNumbers 5 T1569.002 - 6,Invoke-AtomicTest T1569.002 -TestNumbers 6 T1569.002 - 7,Invoke-AtomicTest T1569.002 -TestNumbers 7 T1569.002 - 8,Invoke-AtomicTest T1569.002 -TestNumbers 8 T1072 - 1,Invoke-AtomicTest T1072 -TestNumbers 1 T1072 - 2,Invoke-AtomicTest T1072 -TestNumbers 2 T1072 - 3,Invoke-AtomicTest T1072 -TestNumbers 3 T1059.005 - 1,Invoke-AtomicTest T1059.005 -TestNumbers 1 T1059.005 - 2,Invoke-AtomicTest T1059.005 -TestNumbers 2 T1059.005 - 3,Invoke-AtomicTest T1059.005 -TestNumbers 3 T1059.003 - 1,Invoke-AtomicTest T1059.003 -TestNumbers 1 T1059.003 - 2,Invoke-AtomicTest T1059.003 -TestNumbers 2 T1059.003 - 3,Invoke-AtomicTest T1059.003 -TestNumbers 3 T1047 - 1,Invoke-AtomicTest T1047 -TestNumbers 1 T1047 - 2,Invoke-AtomicTest T1047 -TestNumbers 2 T1047 - 3,Invoke-AtomicTest T1047 -TestNumbers 3 T1047 - 4,Invoke-AtomicTest T1047 -TestNumbers 4 T1047 - 5,Invoke-AtomicTest T1047 -TestNumbers 5 T1047 - 6,Invoke-AtomicTest T1047 -TestNumbers 6 T1047 - 7,Invoke-AtomicTest T1047 -TestNumbers 7 T1047 - 8,Invoke-AtomicTest T1047 -TestNumbers 8 T1047 - 9,Invoke-AtomicTest T1047 -TestNumbers 9 T1020 - 1,Invoke-AtomicTest T1020 -TestNumbers 1 T1020 - 2,Invoke-AtomicTest T1020 -TestNumbers 2 T1048 - 3,Invoke-AtomicTest T1048 -TestNumbers 3 T1041 - 1,Invoke-AtomicTest T1041 -TestNumbers 1 T1041 - 2,Invoke-AtomicTest T1041 -TestNumbers 2 T1048.003 - 2,Invoke-AtomicTest T1048.003 -TestNumbers 2 T1048.003 - 4,Invoke-AtomicTest T1048.003 -TestNumbers 4 T1048.003 - 5,Invoke-AtomicTest T1048.003 -TestNumbers 5 T1567 - 1,Invoke-AtomicTest T1567 -TestNumbers 1 T1021.003 - 1,Invoke-AtomicTest T1021.003 -TestNumbers 1 T1021.003 - 2,Invoke-AtomicTest T1021.003 -TestNumbers 2 T1563.002 - 1,Invoke-AtomicTest T1563.002 -TestNumbers 1 T1021.001 - 1,Invoke-AtomicTest T1021.001 -TestNumbers 1 T1021.001 - 2,Invoke-AtomicTest T1021.001 -TestNumbers 2 T1021.001 - 3,Invoke-AtomicTest T1021.001 -TestNumbers 3 T1021.001 - 4,Invoke-AtomicTest T1021.001 -TestNumbers 4 T1021.002 - 1,Invoke-AtomicTest T1021.002 -TestNumbers 1 T1021.002 - 2,Invoke-AtomicTest T1021.002 -TestNumbers 2 T1021.002 - 3,Invoke-AtomicTest T1021.002 -TestNumbers 3 T1021.002 - 4,Invoke-AtomicTest T1021.002 -TestNumbers 4 T1021.006 - 1,Invoke-AtomicTest T1021.006 -TestNumbers 1 T1021.006 - 2,Invoke-AtomicTest T1021.006 -TestNumbers 2 T1021.006 - 3,Invoke-AtomicTest T1021.006 -TestNumbers 3 T1566.001 - 1,Invoke-AtomicTest T1566.001 -TestNumbers 1 T1566.001 - 2,Invoke-AtomicTest T1566.001 -TestNumbers 2 ''') LET CommandsToRun <= if(condition=RunAll, then='''Invoke-AtomicTest All -Confirm:$false''', else={ SELECT Command FROM CommandTable WHERE get(field=Flag)}) LET RemoveLog <= if(condition=RemoveExecLog, then={ SELECT * FROM execve(argv=["powershell.exe", "Remove-Item", ExecutionLogFile])}) LET EnsureExecutionLog <= if( condition = EnsureExecLog, then = { SELECT * FROM execve( argv=[ 'powershell.exe', '-exec', 'bypass', '-Command', '''if (-not (Test-Path -Path "''' + ExecutionLogFile + '''")) { New-Item -Path "''' + ExecutionLogFile + '''" -ItemType File -Force | Out-Null }''' ] ) } ) LET InstallART <= if(condition=InstallART, then={ SELECT * FROM execve(argv=[ 'powershell.exe', '-exec', 'bypass', '-Command', "IEX (IWR https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1 -UseBasicParsing); Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force -Scope CurrentUser; Install-AtomicRedTeam -getAtomics -F" ])}) LET JustDoIt <= SELECT * FROM foreach(row=CommandsToRun, query={ SELECT * FROM execve(argv=[ 'powershell.exe', '-exec', 'bypass', '-Command', '''Import-Module "C:\AtomicRedTeam\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1" -Force; ''' + Command + ''' -GetPreReqs; ''' + Command + ''' -ExecutionLogPath ''' + ExecutionLogFile + ''';''' + if(condition=Cleanup, then=Command + ''' -Cleanup''', else='''''') ])} ) SELECT `Execution Time (UTC)`, `Execution Time (Local)`, '[' + Technique + '](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/' + Technique + '/' + Technique + '.md)' AS Technique, `Test Number`, `Test Name`, Hostname, Username, GUID FROM parse_csv(accessor="file", filename=ExecutionLogFile)